1. Home
  2. CWE Database
  3. CWE-520
Variant · Low-Medium

CWE-520: .NET Misconfiguration: Use of Impersonation

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.

CWE-520 · Variant Level ·1 Mitigations

Description

Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.

.NET server applications can optionally execute using the identity of the user authenticated to the client. The intention of this functionality is to bypass authentication and access control checks within the .NET application code. Authentication is done by the underlying web server (Microsoft Internet Information Service IIS), which passes the authenticated token, or unauthenticated anonymous token, to the .NET application. Using the token to impersonate the client, the application then relies on the settings within the NTFS directories and files to control access. Impersonation enables the application, on the server running the .NET application, to both execute code and access resources in the context of the authenticated and authorized user.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Mitigations & Prevention

Operation

Run the application with limited privilege to the underlying operating and file system.

CWE-266: Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor...

Frequently Asked Questions

What is CWE-520?

CWE-520 (.NET Misconfiguration: Use of Impersonation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.

How can CWE-520 be exploited?

Attackers can exploit CWE-520 (.NET Misconfiguration: Use of Impersonation) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-520?

Key mitigations include: Run the application with limited privilege to the underlying operating and file system.

What is the severity of CWE-520?

CWE-520 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.