CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
常见后果
影响范围: Integrity Confidentiality
技术影响: Gain Privileges or Assume Identity
说明: If an attacker can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2022-30319
S-bus functionality in a home automation product performs access control using an IP allowlist, which can be bypassed by a forged IP address.
参考: CVE-2022-22547
A troubleshooting tool exposes a web server on a random port between 9000-65535 that could be used for information gathering
参考: CVE-2022-4390
A WAN interface on a router has firewall restrictions enabled for IPv4, but it does not for IPv6, which is enabled by default
参考: CVE-2012-2292
Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy.
参考: CVE-2012-5810
Mobile banking application does not verify hostname, leading to financial loss.
参考: CVE-2014-1266
chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint).
参考: CVE-2000-1218
DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
关键信息
CWE ID: CWE-923
抽象级别: Class
结构: Simple
状态: Incomplete