CWE-514 Details

CWE-514

Covert Channel
Incomplete
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Covert Channel

A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.

CWE-Beschreibung

Typically the system has not given authorization for the transmission and has no knowledge of its occurrence.

Allgemeine Informationen

Einführungsmodi

Implementation
Operation

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
Confidentiality
Access Control		Read Application Data, Bypass Protection Mechanism

Erkennungsmethoden

Architecture or Design Review

Wirksamkeit : SOAR Partial

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is a Class and might have Base-level children that would be more appropriate
Kommentar : Examine children of this entry to see if there is a better fit

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-463 Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

Hinweise

A covert channel can be thought of as an emergent resource, meaning that it was not an originally intended resource, however it exists due the application's behaviors.
As of CWE 4.9, members of the CWE Hardware SIG are working to improve CWE's coverage of transient execution weaknesses, which include issues related to Spectre, Meltdown, and other attacks that create or exploit covert channels. As a result of that work, this entry might change in CWE 4.10.

Referenzen

REF-1431

A Taxonomy of Computer Program Security Flaws, with Examples
Carl E. Landwehr, Alan R. Bull, John P. McDermott, William S. Choi.
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
Landwehr 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Änderungen

Name Organisation Datum Kommentar
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Description, Other_Notes, Theoretical_Notes
CWE Content Team MITRE 2009-07-27 +00:00 updated Relationships
CWE Content Team MITRE 2010-04-05 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2013-02-21 +00:00 updated Description, Relationships, Theoretical_Notes
CWE Content Team MITRE 2014-06-23 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Maintenance_Notes
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2024-07-16 +00:00 updated References
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Weakness_Ordinalities
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.