The product does not sufficiently compartmentalize functionality or processes that require different privilege levels, rights, or permissions.
Extended Description
When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.
Alternate Terms
Separation of Privilege:
Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. This node conflicts with the original definition of "Separation of Privilege" by Saltzer and Schroeder; that original definition is more closely associated with CWE-654. Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged.
Terminology Notes
The term "Separation of Privilege" is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion.
Time of Introduction
Architecture and Design
Implementation
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Access Control
Technical Impact: Gain privileges / assume
identity; Bypass protection
mechanism
The exploitation of a weakness in low-privileged areas of the software
can be leveraged to reach higher-privileged areas without having to
overcome any additional obstacles.
Demonstrative Examples
Example 1
Single sign-on technology is intended to make it easier for users to
access multiple resources or domains without having to authenticate each
time. While this is highly convenient for the user and attempts to address
problems with psychological acceptability, it also means that a compromise
of a user's credentials can provide immediate access to all other resources
or domains.
Example 2
The traditional UNIX privilege model provides root with arbitrary
access to all resources, but root is frequently the only user that has
privileges. As a result, administrative tasks require root privileges, even
if those tasks are limited to a small area, such as updating user man pages.
Some UNIX flavors have a "bin" user that is the owner of system executables,
but since root relies on executables owned by bin, a compromise of the bin
account can be leveraged for root privileges by modifying a bin-owned
executable, such as CVE-2007-4238.
Potential Mitigations
Break up privileges between different modules, objects or entities.
Minimize the interfaces between modules and require strong access
control between them.
Weakness Ordinalities
Ordinality
Description
Primary
(where
the weakness exists independent of other weaknesses)
There is a close association with CWE-250 (Execution with Unnecessary Privileges). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.
Description
