CWE-1220: Insufficient Granularity of Access Control
Learn about CWE-1220 (Insufficient Granularity of Access Control), its security impact, exploitation methods, and prevention guidelines.
What is Insufficient Granularity of Access Control?
• Overview: Insufficient Granularity of Access Control refers to a vulnerability where access control policies are too broad, allowing unauthorized agents to read or write to security-sensitive assets, which should be restricted to trusted agents only.
• Exploitation Methods:
- Attackers can exploit this vulnerability by accessing assets such as device configurations or cryptographic keys that should be protected.
- Common attack patterns include unauthorized read/write operations and privilege escalation.
• Security Impact:
- Direct consequences include unauthorized access to sensitive data and potential modification of critical system configurations.
- Potential cascading effects include system instability, loss of data integrity, and heightened vulnerability to further attacks.
- Business impact can involve data breaches, loss of customer trust, and non-compliance with regulations.
• Prevention Guidelines:
- Implement fine-grained access controls to ensure only authorized agents have access to sensitive resources.
- Follow the principle of least privilege, only granting the minimum necessary access rights.
- Use tools and frameworks that support robust access control mechanisms, such as Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC).
- Regularly review and update access control policies to adapt to changes in the system or threat landscape.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not Technology-Specific
Vulnerable Code Example
class FileServer:
def __init__(self):
self.files = {
"public.txt": "This is a public file.",
"secret.txt": "Top secret information."
}
def read_file(self, filename, user_role):
# Insufficient granularity: All users with 'user' role can access any file
if user_role == "user":
return self.files.get(filename, "File not found.") # Access is too broad
else:
raise PermissionError("Access Denied!")
Explanation of Vulnerability
In the above code, the read_file method applies a role-based access control mechanism but lacks sufficient granularity. Any user with the "user" role can access all files, including sensitive ones such as "secret.txt". This overly broad access control policy fails to adequately protect sensitive information from unauthorized access, as it does not distinguish between different levels of sensitivity or user roles beyond "user".
How to fix Insufficient Granularity of Access Control?
To address this vulnerability, access control should be more granular. Instead of allowing all users with the "user" role to access all files, we should enforce file-specific permissions. This can be achieved by maintaining a permissions map that specifies which roles can access which files, ensuring that only authorized roles can access sensitive information.
Fixed Code Example
class FileServer:
def __init__(self):
self.files = {
"public.txt": "This is a public file.",
"secret.txt": "Top secret information."
}
# Define a permissions map for granular access control
self.permissions = {
"public.txt": ["user", "admin"],
"secret.txt": ["admin"]
}
def read_file(self, filename, user_role):
# Check if the user's role is allowed to access the requested file
if user_role in self.permissions.get(filename, []):
return self.files.get(filename, "File not found.")
else:
raise PermissionError("Access Denied!")
Explanation of Fix
In the fixed code, a permissions dictionary is introduced to explicitly define which roles are permitted to access each file. The read_file method now checks the user's role against the permissions specified for the requested file. This ensures that only users with the appropriate role can access sensitive files like "secret.txt", thereby implementing a more granular and secure access control policy. This approach prevents unauthorized access and protects sensitive information effectively.