CWE-267: Privilege Defined With Unsafe Actions
Learn about CWE-267 (Privilege Defined With Unsafe Actions), its security impact, exploitation methods, and prevention guidelines.
What is Privilege Defined With Unsafe Actions?
• Overview: Privilege Defined With Unsafe Actions occurs when a privilege or role allows actions that were not intended, posing security risks even if correctly assigned.
• Exploitation Methods:
- Attackers can exploit by using legitimately assigned privileges to perform unauthorized actions.
- Common attack patterns include privilege escalation and misuse of roles to access or modify sensitive data.
• Security Impact:
- Direct consequences include unauthorized access, data breach, or system compromise.
- Potential cascading effects include further exploitation of system vulnerabilities and broader network compromise.
- Business impact includes loss of customer trust, legal liabilities, and financial losses from data breaches.
• Prevention Guidelines:
- Specific code-level fixes involve implementing principle of least privilege by defining roles with minimal necessary permissions.
- Security best practices include regular access reviews, auditing, and monitoring of privilege assignments.
- Recommended tools and frameworks include using role-based access control (RBAC) systems and security information and event management (SIEM) tools for real-time monitoring.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
def perform_critical_operation(user_role):
# Vulnerable: The role "admin" can perform any operation, which may include unintended dangerous actions
if user_role == "admin":
execute_dangerous_action()
else:
print("You do not have permission to perform this action.")
def execute_dangerous_action():
# Simulate a critical operation that should be restricted
print("Executing dangerous operation...")
Explanation of the Vulnerability
In this example, the role "admin" is granted broad privileges, allowing it to execute potentially unsafe operations through the execute_dangerous_action function. This design flaw occurs because the role "admin" can perform actions that are not explicitly intended or controlled, leading to a CWE-267 vulnerability. The lack of specific permission checks for critical operations can result in unauthorized access and execution of sensitive actions.
How to fix Privilege Defined With Unsafe Actions?
Fixed Code Example
def perform_critical_operation(user_role):
# Fixed: Check explicit permissions for the critical operation
if can_execute_critical_operation(user_role):
execute_dangerous_action()
else:
print("You do not have permission to perform this action.")
def can_execute_critical_operation(user_role):
# Define explicit permissions for roles
permissions = {
"admin": ["view_reports", "modify_users"], # Admin can no longer perform dangerous actions
"super_admin": ["view_reports", "modify_users", "execute_dangerous_action"]
}
# Check if the user role has permission to execute the dangerous action
return "execute_dangerous_action" in permissions.get(user_role, [])
def execute_dangerous_action():
# Simulate a critical operation that should be restricted
print("Executing dangerous operation...")
Explanation of the Fix
The fixed code introduces a can_execute_critical_operation function to implement permission checks. This function uses a dictionary to define explicit permissions for each role, ensuring that only specific roles (in this case, "super_admin") can perform the dangerous action. This approach adheres to the principle of least privilege and prevents unintended actions by restricting role capabilities to explicitly defined operations only.