Race Condition During Access to Alternate Channel
Weakness ID: 421 (Weakness Base)Status: Draft
+ Description

Description Summary

The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.

Extended Description

This creates a race condition that allows an attacker to access the channel before the authorized user does.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-1999-0351FTP "Pizza Thief" vulnerability. Attacker can connect to a port that was intended for use by another client.
CVE-2003-0230Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it.
+ Potential Mitigations

Protect access to resources. Enforce an authentication check on every transaction.

+ Other Notes

Predictability can be a factor in some issues.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class362Race Condition
Development Concepts699
Research Concepts1000
ChildOfWeakness BaseWeakness Base420Unprotected Alternate Channel
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERAlternate Channel Race Condition
+ References
Blake Watts. "Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit". April 2002. <http://www.blakewatts.com/namedpipepaper.html>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Observed Example, Other Notes, Taxonomy Mappings, Type
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-01-12CWE Content TeamMITREInternal
updated References
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Alternate Channel Race Condition
Back to top