계: API Abuse
API는 호출자와 피호출자 간의 계약입니다. 가장 흔한 형태의 API 오용은 호출자가 이 계약에서 자신의 몫을 이행하지 못하기 때문에 발생합니다. 예를 들어, 프로그램이 chroot()를 호출한 후 chdir()을 호출하지 못하면 활성 루트 디렉터리를 안전하게 변경하는 방법을 지정하는 계약을 위반하는 것입니다. 라이브러리 오용의 또 다른 좋은 예는 피호출자가 호출자에게 신뢰할 만한 DNS 정보를 반환할 것으로 예상하는 것입니다. 이 경우, 호출자는 자신의 행동에 대해 특정한 가정을 함으로써(반환 값이 인증 목적으로 사용될 것으로 예상) 피호출자 API를 오용합니다. 다른 쪽에서 호출자-피호출자 계약을 위반할 수도 있습니다. 예를 들어, 코더가 하위 클래스 SecureRandom을 지정하고 임의 값이 아닌 값을 반환하는 경우 계약을 위반하는 것입니다.
Often Misused: Privilege Management
Abstract
최소 권한 원칙을 지키지 않으면 다른 취약점으로 인한 위험이 커집니다.
Explanation
root 권한으로 실행되는 프로그램은 수없이 많은 Unix 보안 문제를 일으킵니다. 모든 종류의 보안 문제에 대해 권한 있는 프로그램을 신중하게 검토하는 일도 시급하지만 간과한 취약점이 일으킬 수 있는 피해 규모를 줄이기 위해 최대한 빨리 권한 있는 프로그램을 권한 없는 상태로 되돌리는 것도 중요합니다.Privilege management 함수는 모호하게 동작할 수 있고 플랫폼마다 큰 차이를 보입니다. 이 불일치는 특히
root 사용자가 아닌 사용자에서 다른 사용자로 전환하려 할 때 두드러집니다. 시그널 처리기 및 생성된 프로세스는 프로세스 소유자 권한으로 실행되기 때문에 프로세스가
root로 실행될 때 시그널 처리기 또는 하위 프로세스가 실행되는 경우 시그널 처리기나 하위 프로세스는 루트 권한으로 실행됩니다. 공격자는 이 높은 권한을 이용하여 더 큰 피해를 줄 수 있습니다.References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 250
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[18] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.cpp.often_misused_privilege_management.setuid
Abstract
최소 권한 원칙을 준수하지 않으면 다른 취약성에 의해 발생하는 위험이 증폭됩니다.
Explanation
root 권한으로 실행된 프로그램은 무수한 Unix 보안 재해를 일으켰습니다. 모든 종류의 보안 문제에 대해 권한 있는 프로그램을 신중하게 검토해야 하지만, 간과된 취약성이 야기할 수 있는 피해를 최소화하기 위해 권한 있는 프로그램에서 최대한 빨리 권한을 박탈하는 것도 그에 못지 않게 중요합니다.권한 관리 함수는 명확하지 않은 방식으로 작동할 수 있으며 플랫폼마다 다른 특성을 가지고 있습니다. 이러한 불일치는
root 사용자가 아닌 한 사용자에서 다른 사용자로 전환하는 경우 특히 두드러집니다.신호 처리기 및 생성된 프로세스는 소유 프로세스의 권한으로 실행되므로, 신호가 발생하거나 하위 프로세스가 실행될 때 프로세스가
root로 실행 중인 경우 신호 처리기 또는 하위 프로세스는 루트 권한으로 작동합니다. 공격자는 이러한 승격된 권한을 활용하여 추가적인 손상을 입힐 수 있습니다.References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 250
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[17] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.golang.often_misused_privilege_management
Abstract
최소 권한 원칙을 지키지 않으면 다른 취약점으로 인한 위험이 커집니다.
Explanation
root 권한으로 실행되는 프로그램은 수없이 많은 Unix 보안 문제를 일으킵니다. 모든 종류의 보안 문제에 대해 권한 있는 프로그램을 신중하게 검토하는 일도 시급하지만 간과한 취약점이 일으킬 수 있는 피해 규모를 줄이기 위해 최대한 빨리 권한 있는 프로그램을 권한 없는 상태로 되돌리는 것도 중요합니다.Privilege management 함수는 모호하게 동작할 수 있고 플랫폼마다 큰 차이를 보입니다. 이 불일치는 특히
root 사용자가 아닌 사용자에서 다른 사용자로 전환하려 할 때 두드러집니다.시그널 처리기 및 생성된 프로세스는 프로세스 소유자 권한으로 실행되기 때문에 프로세스가
root로 실행될 때 시그널 처리기 또는 하위 프로세스가 실행되는 경우 시그널 처리기나 하위 프로세스는 루트 권한으로 실행됩니다. 공격자는 이 높은 권한을 이용하여 더 큰 피해를 줄 수 있습니다.References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 250
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[17] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.java.often_misused_privilege_management
Abstract
최소 권한 원칙을 지키지 않으면 다른 취약점으로 인한 위험이 커집니다.
Explanation
root 권한으로 실행되는 프로그램은 수없이 많은 Unix 보안 문제를 일으킵니다. 모든 종류의 보안 문제에 대해 권한 있는 프로그램을 신중하게 검토하는 일도 시급하지만 간과한 취약점이 일으킬 수 있는 피해 규모를 줄이기 위해 최대한 빨리 권한 있는 프로그램을 권한 없는 상태로 되돌리는 것도 중요합니다.Privilege management 함수는 모호하게 동작할 수 있고 플랫폼마다 큰 차이를 보입니다. 이 불일치는 특히
root 사용자가 아닌 사용자에서 다른 사용자로 전환하려 할 때 두드러집니다.시그널 처리기 및 생성된 프로세스는 프로세스 소유자 권한으로 실행되기 때문에 프로세스가
root로 실행될 때 시그널 처리기 또는 하위 프로세스가 실행되는 경우 시그널 처리기나 하위 프로세스는 루트 권한으로 실행됩니다. 공격자는 이 높은 권한을 이용하여 더 큰 피해를 줄 수 있습니다.References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 250
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[17] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.python.often_misused_privilege_management