During installation, installed file permissions are set to allow anyone to modify those files.
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| ChildOf | Allowed-with-Review | C | 732 | Incorrect Permission Assignment for Critical Resource |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | BS | BOSS-273 | Medium likelihood of exploit |
| MemberOf | Prohibited | BS | BOSS-280 | Separation of Privilege Strategy |
| MemberOf | Prohibited | BS | BOSS-294 | Not Language-Specific Weaknesses |
| MemberOf | Prohibited | BS | BOSS-305 | ICS/OT (technology class) Weaknesses |
| MemberOf | Prohibited | BS | BOSS-307 | Not Technology-Specific (technology class) Weaknesses |
| MemberOf | Prohibited | BS | BOSS-318 | Modify Application Data (impact) |
| MemberOf | Prohibited | BS | BOSS-328 | Read Application Data (impact) |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1011 | Authorize Actors |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1147 | SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO) |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1198 | Privilege Separation and Access Control Issues |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1345 | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1366 | ICS Communications: Frail Security in Protocols |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1376 | ICS Engineering (Construction/Deployment): Security Gaps in Commissioning |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 275 | Permission Issues |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 946 | SFP Secondary Cluster: Insecure Resource Permissions |
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| ConfidentialityIntegrity | N/A | Read Application DataModify Application Data | N/A |
The architecture needs to access and modification attributes for files to only those users who actually require those actions.
Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
N/A
N/A
N/A
N/A
| Reference | Description |
|---|---|
| CVE-2005-1941 | Executables installed world-writable. |
| CVE-2002-1713 | Home directories installed world-readable. |
| CVE-2001-1550 | World-writable log files allow information loss; world-readable file has cleartext passwords. |
| CVE-2002-1711 | World-readable directory. |
| CVE-2002-1844 | Windows product uses insecure permissions when installing on Solaris (genesis: port error). |
| CVE-2001-0497 | Insecure permissions for a shared secret key file. Overlaps cryptographic problem. |
| CVE-1999-0426 | Default permissions of a device allow IP spoofing. |
| Ordinality | Description |
|---|---|
| Primary | N/A |
According to SOAR, the following detection techniques may be useful:
``` Cost effective for partial coverage: ```
Inter-application Flow Analysis
N/A
According to SOAR, the following detection techniques may be useful:
``` Cost effective for partial coverage: ```
Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
N/A
According to SOAR, the following detection techniques may be useful:
``` Cost effective for partial coverage: ```
Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria Web Application Scanner Web Services Scanner Database Scanners
N/A
According to SOAR, the following detection techniques may be useful:
``` Highly cost effective: ```
Host Application Interface Scanner ``` Cost effective for partial coverage: ```
Fuzz Tester Framework-based Fuzzer Automated Monitored Execution Forced Path Execution
N/A
According to SOAR, the following detection techniques may be useful:
``` Highly cost effective: ```
Manual Source Code Review (not inspections) ``` Cost effective for partial coverage: ```
Focused Manual Spotcheck - Focused manual analysis of source
N/A
According to SOAR, the following detection techniques may be useful:
``` Cost effective for partial coverage: ```
Context-configured Source Code Weakness Analyzer
N/A
According to SOAR, the following detection techniques may be useful:
``` Cost effective for partial coverage: ```
Configuration Checker
N/A
According to SOAR, the following detection techniques may be useful:
``` Highly cost effective: ```
Formal Methods / Correct-By-Construction ``` Cost effective for partial coverage: ```
Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
N/A
This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
| Taxonomy Name | Entry ID | Fit | Entry Name |
|---|---|---|---|
| PLOVER | N/A | N/A | Insecure Default Permissions |
| CERT C Secure Coding | FIO06-C | N/A | Create files with appropriate access permissions |
| The CERT Oracle Secure Coding Standard for Java (2011) | FIO01-J | N/A | Create files with appropriate access permission |
| ISA/IEC 62443 | Part 2-4 | N/A | Req SP.03.08 |
| ISA/IEC 62443 | Part 4-2 | N/A | Req CR 2.1 |