CWE-420 Detail

CWE-420

Unprotected Alternate Channel
Draft
2006-07-19
00h00 +00:00
2024-02-29
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Unprotected Alternate Channel

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

General Informations

Modes Of Introduction

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation
Operation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism

Observed Examples

References Description

CVE-2020-8004

When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).

CVE-2002-0567

DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.

CVE-2002-1578

Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.

CVE-2003-1035

User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.

CVE-2002-1863

FTP service can not be disabled even when other access controls would require it.

CVE-2002-0066

Windows named pipe created without authentication/access control, allowing configuration modification.

CVE-2004-1461

Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.

Potential Mitigations

Phases : Architecture and Design
Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

This can be primary to authentication errors, and resultant from unhandled error conditions.

Submission

Name Organization Date Date release Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Relationship_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-07-17 +00:00 updated Applicable_Platforms, Potential_Mitigations, Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples