Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-276: Incorrect Default Permissions

Incorrect Default Permissions
Weakness ID: 276 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Installation
  • Operation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Read application data; Modify application data

+ Likelihood of Exploit


+ Observed Examples
Executables installed world-writable.
Home directories installed world-readable.
World-writable log files allow information loss; world-readable file has cleartext passwords.
World-readable directory.
Windows product uses insecure permissions when installing on Solaris (genesis: port error).
Insecure permissions for a shared secret key file. Overlaps cryptographic problem.
Default permissions of a device allow IP spoofing.
+ Potential Mitigations

Phases: Architecture and Design; Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Strategy: Separation of Privilege

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory275Permission Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class732Incorrect Permission Assignment for Critical Resource
Research Concepts (primary)1000
ChildOfCategoryCategory743CERT C Secure Coding Section 09 - Input Output (FIO)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory857CERT Java Secure Coding Section 12 - Input Output (FIO)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory877CERT C++ Secure Coding Section 09 - Input Output (FIO)
Weaknesses Addressed by the CERT C++ Secure Coding Standard (primary)868
ChildOfCategoryCategory899SFP Cluster: Access Control
Software Fault Pattern (SFP) Clusters (primary)888
+ Causal Nature


+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsecure Default Permissions
CERT C Secure CodingFIO06-CCreate files with appropriate access permissions
CERT Java Secure CodingFIO01-JCreate files with appropriate access permission
CERT C++ Secure CodingFIO06-CPPCreate files with appropriate access permissions
+ References
[REF-7] Mark Dowd, John McDonald and Justin Schuh. "The Art of Software Security Assessment". Chapter 3, "Insecure Defaults", Page 69.. 1st Edition. Addison Wesley. 2006.
+ Content History
Submission DateSubmitterOrganizationSource
Externally Mined
Modification DateModifierOrganizationSource
updated Time_of_Introduction
updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities
updated Relationships, Taxonomy_Mappings
updated Description, Name
updated Common_Consequences, Relationships, Taxonomy_Mappings
updated Relationships, Taxonomy_Mappings
updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2009-05-27Insecure Default Permissions
Page Last Updated: June 23, 2014