CWE-514
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Covert Channel
A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.
Description du CWE
Typically the system has not given authorization for the transmission and has no knowledge of its occurrence.
Informations générales
Modes d'introduction
ImplementationOperation
Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality Access Control | Read Application Data, Bypass Protection Mechanism |
Méthodes de détection
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Efficacité : SOAR Partial
Notes de cartographie des vulnérabilités
Justification : This CWE entry is a Class and might have Base-level children that would be more appropriateCommentaire : Examine children of this entry to see if there is a better fit
Modèles d'attaque associés
| CAPEC-ID | Nom du modèle d'attaque |
|---|---|
| CAPEC-463 | Padding Oracle Crypto Attack An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key. |
NotesNotes
A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.
Références
REF-1431
A Taxonomy of Computer Program Security Flaws, with ExamplesCarl E. Landwehr, Alan R. Bull, John P. McDermott, William S. Choi.
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| Landwehr | Draft 3 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Other_Notes, Theoretical_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns, Relationships | |
| CWE Content Team | MITRE | updated Description, Relationships, Theoretical_Notes | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Maintenance_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated References |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.