TH16120
Detected presence of software components that can elevate the user privileges.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Operating systems execute application code in multiple privilege access levels. Separation of privileges is designed to protect the stability and integrity of the operating system by shielding it from issues that the user run applications may cause. However, some users may need to interact with higher privilege parts of the operating system to accomplish specific tasks. For this purpose, operating systems provide facilities that users may leverage to temporarily elevate their running privileges. Users with higher privileges can run any application with the same privilege level as their own. Attackers often try to trick privileged users into running malicious code, enabling them to infect the operating system. While the presence of code that elevates user privileges does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can elevate user privileges. One example of acceptable use for such functions is allowing the users to install software packages and updates.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1548 - Abuse Elevation Control Mechanism.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1548 - Abuse Elevation Control Mechanism (External resource - Mitre ATT&CK documentation)
- Privilege separation (External resource - Wikipedia)