CWE-420
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Nazwa: Unprotected Alternate Channel
The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Informacje ogólne
Sposoby wprowadzenia
Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.Implementation
Operation
Odpowiednie platformy
Język
Class: Not Language-Specific (Undetermined)Typowe konsekwencje
| Zakres | Wpływ | Prawdopodobieństwo |
|---|---|---|
| Access Control | Gain Privileges or Assume Identity, Bypass Protection Mechanism |
Zaobserwowane przykłady
| Odniesienia | Opis |
|---|---|
CVE-2020-8004 | When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS). |
CVE-2002-0567 | DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote. |
CVE-2002-1578 | Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database. |
CVE-2003-1035 | User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing. |
CVE-2002-1863 | FTP service can not be disabled even when other access controls would require it. |
CVE-2002-0066 | Windows named pipe created without authentication/access control, allowing configuration modification. |
CVE-2004-1461 | Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address. |
Potencjalne środki zaradcze
Phases : Architecture and DesignIdentify all alternate channels and use the same protection mechanisms that are used for the primary channels.
Uwagi dotyczące mapowania podatności
Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notatki
This can be primary to authentication errors, and resultant from unhandled error conditions.Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modyfikacje
| Nazwa | Organizacja | Data | Komentarz |
|---|---|---|---|
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Relationship_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Weakness_Ordinalities |
