Unprotected Alternate Channel |
Weakness ID: 420 (Weakness Base) | Status: Draft |
Description Summary
The software protects a primary channel, but it does not use the same level of protection for an alternate channel.
Reference | Description |
---|---|
CVE-2002-0567 | DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote. |
CVE-2002-1578 | Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database. |
CVE-2003-1035 | User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. |
CVE-2002-1863 | FTP service can not be disabled even when other access controls would require it. |
CVE-2002-0066 | Windows named pipe created without authentication/access control, allowing configuration modification. |
CVE-2004-1461 | Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address. |
Malicious users are likely to attack the weakest link. |
Deploy different layers of protection to implement security in depth. |
Phase: Architecture and Design Identify all alternate channels and use the same protection mechanisms as you do for the primary channels. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 418 | Channel Errors | Development Concepts (primary)699 |
ChildOf | Weakness Class | 668 | Exposure of Resource to Wrong Sphere | Research Concepts (primary)1000 |
ParentOf | Weakness Base | 421 | Race Condition During Access to Alternate Channel | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 422 | Unprotected Windows Messaging Channel ('Shatter') | Development Concepts (primary)699 Research Concepts (primary)1000 |
PeerOf | Weakness Base | 288 | Authentication Bypass Using an Alternate Path or Channel | Research Concepts1000 |
This can be primary to authentication errors, and resultant from unhandled error conditions. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Relationship Notes, Taxonomy Mappings |