Unprotected Alternate Channel
Weakness ID: 420 (Weakness Base)Status: Draft
+ Description

Description Summary

The software protects a primary channel, but it does not use the same level of protection for an alternate channel.
+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms



+ Observed Examples
CVE-2002-0567DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.
CVE-2002-1578Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.
CVE-2003-1035User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
CVE-2002-1863FTP service can not be disabled even when other access controls would require it.
CVE-2002-0066Windows named pipe created without authentication/access control, allowing configuration modification.
CVE-2004-1461Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.
+ Potential Mitigations

Malicious users are likely to attack the weakest link.

Deploy different layers of protection to implement security in depth.

Phase: Architecture and Design

Identify all alternate channels and use the same protection mechanisms as you do for the primary channels.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory418Channel Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base421Race Condition During Access to Alternate Channel
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant422Unprotected Windows Messaging Channel ('Shatter')
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base288Authentication Bypass Using an Alternate Path or Channel
Research Concepts1000
+ Relationship Notes

This can be primary to authentication errors, and resultant from unhandled error conditions.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnprotected Alternate Channel
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Relationship Notes, Taxonomy Mappings