CWE-300: Channel Accessible by Non-Endpoint
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
扩展描述
In order to establish secure communication between two parties, it is often important to adequately verify the identity of entities at each end of the communication channel. Inadequate or inconsistent verification may result in insufficient or incorrect identification of either communicating entity. This can have negative consequences such as misplaced trust in the entity at the other end of the channel. An attacker can leverage this by interposing between the communicating entities and masquerading as the original entity. In the absence of sufficient verification of identity, such an attacker can eavesdrop and potentially modify the communication between the original entities.
常见后果
影响范围: Confidentiality Integrity Access Control
技术影响: Read Application Data Modify Application Data Gain Privileges or Assume Identity
说明: An attacker could pose as one of the entities and read or possibly modify the communication.
潜在缓解措施
阶段: Implementation
描述: Always fully authenticate both ends of any communications channel.
阶段: Architecture and Design
描述: Adhere to the principle of complete mediation.
阶段: Implementation
描述: A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure.
检测方法
方法: Automated Dynamic Analysis
Some tools can act as proxy servers that allow the tester to intercept packets or messages, inspect them, and modify them before sending them to the destination in order to see if the modified packets are still accepted by the receiving component.
方法: Automated Dynamic Analysis
Dynamic Application Security Testing (DAST) tools can be used to detect network traffic without encryption and/or verification. The affected protocol may be subject to Adversary-in-the-Middle attacks. Some tools act as proxy servers that allow the tester to inspect and modify packets/messages to see if they are still accepted by the receiving component.
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) The analysis could identify use of protocols that are subject to Adversary-in-the-Middle attacks.
有效性: Moderate
观察示例
参考: CVE-2014-1266
chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Man-in-the-middle (MITM) | - |
| WASC | 32 | Routing Detour | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | SEC06-J | Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar | - |
关键信息
CWE ID: CWE-300
抽象级别: Class
结构: Simple
状态: Draft