CWE-420: Unprotected Alternate Channel

Export to Word

Description

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2020-8004

When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).
CVE: CVE-2002-0567

DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.
CVE: CVE-2002-1578

Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.
CVE: CVE-2003-1035

User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
CVE: CVE-2002-1863

FTP service can not be disabled even when other access controls would require it.
CVE: CVE-2002-0066

Windows named pipe created without authentication/access control, allowing configuration modification.
CVE: CVE-2004-1461

Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation	N/A
Operation	N/A

Common Consequences

Impact: Gain Privileges or Assume Identity, Bypass Protection Mechanism — Notes:

Potential Mitigations

Architecture and Design: Identify all alternate channels and use the same protection mechanisms that are used for the primary channels. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset). Though this example is shown in Verilog, it will apply to VHDL as well.

Body: The bugged line of code is repeated in the Bad example above. The weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME. The address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.

module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @* acl_oh_allowlist <= 32'h8312; assign addr_auth = (address == 32'hF00) ? 1: 0; always @ (posedge clk or negedge rst_n) if (!rst_n) begin q <= 32'h0; data_out <= 32'h0; end else begin q <= (addr_auth & write_auth) ? data_in: q; data_out <= q; end end endmodule

Notes

Relationship: This can be primary to authentication errors, and resultant from unhandled error conditions.

← Back to CWE list