CWE-514
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Covert Channel
A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.
CWE Description
Typically the system has not given authorization for the transmission and has no knowledge of its occurrence.
General Informations
Modes Of Introduction
ImplementationOperation
Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Confidentiality Access Control | Read Application Data, Bypass Protection Mechanism |
Detection Methods
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Effectiveness : SOAR Partial
Vulnerability Mapping Notes
Justification : This CWE entry is a Class and might have Base-level children that would be more appropriateComment : Examine children of this entry to see if there is a better fit
Related Attack Patterns
| CAPEC-ID | Attack Pattern Name |
|---|---|
| CAPEC-463 | Padding Oracle Crypto Attack An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. |
NotesNotes
A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.
References
REF-1431
A Taxonomy of Computer Program Security Flaws, with ExamplesCarl E. Landwehr, Alan R. Bull, John P. McDermott, William S. Choi.
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| Landwehr | Draft 3 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Other_Notes, Theoretical_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | |
| CWE Content Team | MITRE | updated Description, Relationships, Theoretical_Notes | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Maintenance_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated References |
2025©
tesweb SA
