{"@ID": "276", "@Name": "Incorrect Default Permissions", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-276-Diagram.png", "Description": "During installation, installed file permissions are set to allow anyone to modify those files.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "732", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "732", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}, {"@Class": "ICS/OT", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}, {"Phase": "Installation"}, {"Phase": "Operation"}]}, "Likelihood_Of_Exploit": "Medium", "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity"], "Impact": ["Read Application Data", "Modify Application Data"]}}, "Detection_Methods": {"Detection_Method": [{"Method": "Automated Static Analysis - Binary or Bytecode", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": "Inter-application Flow Analysis"}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Manual Static Analysis - Binary or Bytecode", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": "Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies"}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Dynamic Analysis with Automated Results Interpretation", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": ["Host-based Vulnerability Scanners - Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria", "Web Application Scanner", "Web Services Scanner", "Database Scanners"]}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Dynamic Analysis with Manual Results Interpretation", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": ["Highly cost effective:", "Cost effective for partial coverage:"], "xhtml:ul": [{"xhtml:li": "Host Application Interface Scanner"}, {"xhtml:li": ["Fuzz Tester", "Framework-based Fuzzer", "Automated Monitored Execution", "Forced Path Execution"]}]}}, "Effectiveness": "High"}, {"Method": "Manual Static Analysis - Source Code", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": ["Highly cost effective:", "Cost effective for partial coverage:"], "xhtml:ul": [{"xhtml:li": "Manual Source Code Review (not inspections)"}, {"xhtml:li": "Focused Manual Spotcheck - Focused manual analysis of source"}]}}, "Effectiveness": "High"}, {"Method": "Automated Static Analysis - Source Code", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": "Context-configured Source Code Weakness Analyzer"}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Automated Static Analysis", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": "Cost effective for partial coverage:", "xhtml:ul": {"xhtml:li": "Configuration Checker"}}}, "Effectiveness": "SOAR Partial"}, {"Method": "Architecture or Design Review", "Description": {"xhtml:p": "According to SOAR [REF-1479], the following detection techniques may be useful:", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": ["Highly cost effective:", "Cost effective for partial coverage:"], "xhtml:ul": [{"xhtml:li": "Formal Methods / Correct-By-Construction"}, {"xhtml:li": "Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)"}]}}, "Effectiveness": "High"}]}, "Potential_Mitigations": {"Mitigation": [{"@Mitigation_ID": "MIT-1", "Phase": ["Architecture and Design", "Operation"], "Description": "The architecture needs to access and modification attributes for files to only those users who actually require those actions."}, {"@Mitigation_ID": "MIT-46", "Phase": "Architecture and Design", "Strategy": "Separation of Privilege", "Description": {"xhtml:p": ["Compartmentalize the system to have \"safe\" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.", "Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges."]}}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2005-1941", "Description": "Executables installed world-writable.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-1941"}, {"Reference": "CVE-2002-1713", "Description": "Home directories installed world-readable.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1713"}, {"Reference": "CVE-2001-1550", "Description": "World-writable log files allow information loss; world-readable file has cleartext passwords.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-1550"}, {"Reference": "CVE-2002-1711", "Description": "World-readable directory.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1711"}, {"Reference": "CVE-2002-1844", "Description": "Windows product uses insecure permissions when installing on Solaris (genesis: port error).", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1844"}, {"Reference": "CVE-2001-0497", "Description": "Insecure permissions for a shared secret key file. Overlaps cryptographic problem.", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-0497"}, {"Reference": "CVE-1999-0426", "Description": "Default permissions of a device allow IP spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-0426"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Insecure Default Permissions"}, {"@Taxonomy_Name": "CERT C Secure Coding", "Entry_ID": "FIO06-C", "Entry_Name": "Create files with appropriate access permissions"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "FIO01-J", "Entry_Name": "Create files with appropriate access permission"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 2-4", "Entry_Name": "Req SP.03.08"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req CR 2.1"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "1"}, {"@CAPEC_ID": "127"}, {"@CAPEC_ID": "81"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-62", "@Section": "Chapter 3, \"Insecure Defaults\", Page 69"}, {"@External_Reference_ID": "REF-1479"}, {"@External_Reference_ID": "REF-1479"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "As of CWE 4.19, this entry is\n            being considered for deprecation or significant\n            revision. Its name and description are inconsistent. The\n            name is more general, and the description is more\n            specific. The description emphasizes the installation\n            phase only; mentions only files; and emphasizes\n            modification of those files. The name applies to any type\n            of resource, does not mention the specific permissions,\n            and could be relevant to any SDLC phase."}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Description, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-09-13", "Modification_Version": "2.1", "Modification_ReleaseDate": "2011-09-13", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-05-03", "Modification_Version": "2.11", "Modification_ReleaseDate": "2017-05-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Description, Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Description, Modes_of_Introduction, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-06-28", "Modification_Version": "4.8", "Modification_ReleaseDate": "2022-06-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Detection_Factors, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Diagram, Maintenance_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2026-01-21", "Modification_Version": "4.19.1", "Modification_ReleaseDate": "2026-01-21", "Modification_Comment": "updated Relationships"}], "Contribution": [{"@Type": "Content", "Contribution_Name": "\"Mapping CWE to 62443\" Sub-Working Group", "Contribution_Organization": "CWE-CAPEC ICS/OT SIG", "Contribution_Date": "2023-04-25", "Contribution_Comment": "Suggested mappings to ISA/IEC 62443."}, {"@Type": "Content", "Contribution_Name": "Abhi Balakrishnan", "Contribution_Date": "2024-09-29", "Contribution_Version": "4.19", "Contribution_ReleaseDate": "2025-12-11", "Contribution_Comment": "Contributed usability diagram concepts used by the CWE team"}], "Previous_Entry_Name": {"@Date": "2009-05-27", "#text": "Insecure Default Permissions"}}}
