The product does not sufficiently compartmentalize
functionality or processes that require different privilege levels, rights, or
permissions.
Extended Description
When a weakness occurs in functionality that is accessible by
lower-privileged users, then without strong boundaries, an attack might
extend the scope of the damage to higher-privileged users.
Alternate Terms
Separation of Privilege:
Some people and publications use the term "Separation of Privilege" to
describe this weakness, but this term has dual meanings in current
usage. This node conflicts with the original definition of "Separation
of Privilege" by Saltzer and Schroeder; that original definition is more
closely associated with CWE-654. Because there are multiple
interpretations, use of the "Separation of Privilege" term is
discouraged.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Integrity
Availability
The exploitation of a weakness in low-privileged areas of the software
can be leveraged to reach higher-privileged areas without having to
overcome any additional obstacles.
Demonstrative Examples
Example 1
Single sign-on technology is intended to make it easier for users to
access multiple resources or domains without having to authenticate each
time. While this is highly convenient for the user and attempts to address
problems with psychological acceptability, it also means that a compromise
of a user's credentials can provide immediate access to all other resources
or domains.
Example 2
The traditional UNIX privilege model provides root with arbitrary
access to all resources, but root is frequently the only user that has
privileges. As a result, administrative tasks require root privileges, even
if those tasks are limited to a small area, such as updating user man pages.
Some UNIX flavors have a "bin" user that is the owner of system executables,
but since root relies on executables owned by bin, a compromise of the bin
account can be leveraged for root privileges by modifying a bin-owned
executable, such as CVE-2007-4238.
Potential Mitigations
Phase
Description
Break up privileges between different modules, objects or entities.
Minimize the interfaces between modules and require strong access
control between them.
Other Notes
The term "Separation of Privilege" is used in several different ways in
the industry, but they generally combine two closely related principles:
compartmentalization (this node) and using only one factor in a security
decision (CWE-654). Proper compartmentalization implicitly introduces
multiple factors into a security decision, but there can be cases in which
multiple factors are required for authentication or other mechanisms that do
not involve compartmentalization, such as performing all required checks on
a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke
further discussion.
There is a close association with CWE-250 (Failure to Use Least
Privilege). CWE-653 is about providing separate components for each
privilege; CWE-250 is about ensuring that each component has the least
amount of privileges possible. In this fashion, compartmentalization becomes
one mechanism for reducing privileges.
Weakness Ordinalities
Ordinality
Description
Primary
(where the
weakness exists independent of other weaknesses)
Description
