Incorrect Default Permissions
Weakness ID: 276 (Weakness Variant)Status: Draft
+ Description

Description Summary

The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Installation
  • Operation
+ Applicable Platforms

Languages

All

+ Likelihood of Exploit

Medium

+ Observed Examples
ReferenceDescription
CVE-2005-1941Executables installed world-writable.
CVE-2002-1713Home directories installed world-readable.
CVE-2001-1550World-writable log files allow information loss; world-readable file has cleartext passwords.
CVE-2002-1711World-readable directory.
CVE-2002-1844Windows product uses insecure permissions when installing on Solaris (genesis: port error).
CVE-2001-0497Insecure permissions for a shared secret key file. Overlaps cryptographic problem.
CVE-1999-0426Default permissions of a device allow IP spoofing.
+ Potential Mitigations

Very carefully manage the setting, management and handling of permissions. Explicitly manage trust zones in the software.

Phase: Architecture and Design

Ensure that appropriate compartmentalization is built into the system design and that the compartmentalization serves to allow for and further reinforce privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide when it is appropriate to use and to drop system privileges.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory275Permission Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class732Incorrect Permission Assignment for Critical Resource
Research Concepts (primary)1000
ChildOfCategoryCategory743CERT C Secure Coding Section 09 - Input Output (FIO)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
+ Causal Nature

Implicit

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsecure Default Permissions
CERT C Secure CodingFIO06-CCreate files with appropriate access permissions
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
1Accessing Functionality Not Properly Constrained by ACLs
19Embedding Scripts within Scripts
81Web Logs Tampering
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings, Weakness Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
Previous Entry Names
Change DatePrevious Entry Name
2009-05-27Insecure Default Permissions