Corgea LogoCorgea Security Hub

CWE-279: Incorrect Execution-Assigned Permissions

Learn about CWE-279 (Incorrect Execution-Assigned Permissions), its security impact, exploitation methods, and prevention guidelines.

What is Incorrect Execution-Assigned Permissions?

• Overview: This vulnerability occurs when a software product, during its execution, assigns permissions to an object that do not align with the permissions intended or specified by the user. This misalignment can lead to unauthorized access or actions on the object.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by accessing or manipulating objects with overly permissive settings.
  • Common attack patterns include privilege escalation, where attackers gain higher access levels than intended, and unauthorized data access or modification.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive data or critical system functions.
  • Potential cascading effects might involve data breaches or system compromise, leading to loss of data integrity or availability.
  • Business impact could include financial loss, reputational damage, and legal liabilities due to non-compliance with data protection regulations.

• Prevention Guidelines:

  • Specific code-level fixes include implementing strict permission checks and validation at runtime to ensure the actual permissions match the intended settings.
  • Security best practices involve applying the principle of least privilege, regularly auditing permission settings, and ensuring robust access controls.
  • Recommended tools and frameworks include static analysis tools to identify permission misconfigurations and runtime monitoring tools to detect and alert on suspicious permission changes.
Corgea can automatically detect and fix Incorrect Execution-Assigned Permissions in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

const fs = require('fs');

function createFileWithPermissions(filePath) {
    // Creates a file and assigns incorrect permissions
    fs.writeFileSync(filePath, "Sensitive data");
    // Incorrectly sets permissions to world-writable, which is a security risk
    fs.chmodSync(filePath, 0o777);
}

Explanation:

  • This JavaScript code creates a file and sets its permissions to 0o777, making it world-writable. This is insecure because it allows any user to read, write, or execute the file, leading to potential security risks such as unauthorized modifications or data leakage.

How to fix Incorrect Execution-Assigned Permissions?

To fix this vulnerability, you should:

  1. Use secure default permissions that provide the least privilege necessary.
  2. Consider setting permissions to 0o600 for files that should only be accessible by the owner, and 0o640 if group read access is necessary.
  3. Regularly review and audit file permissions to ensure they meet security policies.

Fixed Code Example

const fs = require('fs');

function createFileWithSecurePermissions(filePath) {
    // Creates a file and assigns secure permissions
    fs.writeFileSync(filePath, "Sensitive data");
    // Securely sets permissions to read/write for the owner only
    fs.chmodSync(filePath, 0o600);
}

Explanation:

  • The fixed code example sets the file permissions to 0o600, meaning only the owner has read and write access. This limits the potential for unauthorized access or modifications by other users, thereby enhancing the security of the file by adhering to the principle of least privilege.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-279: Incorrect Execution-Assigned Permissions and get remediation guidance

Start for free and no credit card needed.