Identity Management / Admin Accounts which Do Not Have the Flag "This Account Is Sensitive and Cannot Be Delegated"

Description

Admin account(s) which do not have the flag "this account is sensitive and cannot be delegated" is an IT vulnerability that falls within the category of Identity Management. This vulnerability occurs in Infrastructure when an administrator account is created without the sensitive flag, allowing users to access the account and use it to gain access to sensitive information, or manipulate system settings. This vulnerability has been assigned CWE-264: Permissions, Privileges and Access Controls, and is described in detail in the OWASP Testing Guide.

Risk

This vulnerability can be particularly dangerous, as it allows users to gain access to sensitive information and manipulate system settings. If a malicious user were to gain access to an administrator account, they could cause significant damage to the system, such as deleting important files, or changing security settings. It is therefore important to ensure that all administrator accounts are created with the sensitive flag.

Solution

To prevent this vulnerability, administrators should ensure that all admin accounts are created with the sensitive flag. This can be done by setting the account's control flags to "this account is sensitive and cannot be delegated". This will prevent users from gaining access to the account and manipulating system settings.