CWE-268: Privilege Chaining

Description

Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Demonstrative Examples

This code allows someone with the role of "ADMIN" or "OPERATOR" to reset a user's password. The role of "OPERATOR" is intended to have less privileges than an "ADMIN", but still be able to help users with small issues such as forgotten passwords.

Bad

public enum Roles {ADMIN,OPERATOR,USER,GUEST}
                     public void resetPassword(User requestingUser, User user, String password ){
                        if(isAuthenticated(requestingUser)){
                              switch(requestingUser.role){
                                    case GUEST:System.out.println("You are not authorized to perform this command");break;
                                       case USER:System.out.println("You are not authorized to perform this command");break;
                                       default:setPassword(user,password);break;}
                                 }
                           
                           else{System.out.println("You must be logged in to perform this command");}
                     }

This code does not check the role of the user whose password is being reset. It is possible for an Operator to gain Admin privileges by resetting the password of an Admin account and taking control of that account.

Mitigations & Prevention

Architecture and Design

Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

Architecture and DesignOperation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Architecture and DesignOperation

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

Real-World CVE Examples

CVE ID	Description
CVE-2005-1736	Chaining of user rights.
CVE-2002-1772	Gain certain rights via privilege chaining in alternate channel.
CVE-2005-1973	Application is allowed to assign extra permissions to itself.
CVE-2003-0640	"operator" user can overwrite usernames and passwords to gain admin privileges.

Taxonomy Mappings

PLOVER: — Privilege Chaining

Frequently Asked Questions

What is CWE-268?

CWE-268 (Privilege Chaining) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.

How can CWE-268 be exploited?

Attackers can exploit CWE-268 (Privilege Chaining) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-268?

Key mitigations include: Consider following the principle of separation of privilege. Require multiple conditions to be met before permitting access to a system resource.

What is the severity of CWE-268?

CWE-268 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.