CWE-420: Unprotected Alternate Channel
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity Bypass Protection Mechanism
潜在缓解措施
阶段: Architecture and Design
描述: Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.
观察示例
参考: CVE-2020-8004
When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).
参考: CVE-2002-0567
DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.
参考: CVE-2002-1578
Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.
参考: CVE-2003-1035
User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
参考: CVE-2002-1863
FTP service can not be disabled even when other access controls would require it.
参考: CVE-2002-0066
Windows named pipe created without authentication/access control, allowing configuration modification.
参考: CVE-2004-1461
Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Implementation | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Unprotected Alternate Channel | - |