Weakness ID: 420
Abstraction: Base Status: Draft
The software protects a primary channel, but it does not use the same level of protection for an alternate channel.
Time of Introduction
Architecture and Design
Technical Impact: Gain privileges / assume
identity; Bypass protection
DB server assumes that local clients have
performed authentication, allowing attacker to directly connect to a process
to load libraries and execute commands; a socket interface also exists
(another alternate channel), so attack can be
Product does not restrict access to underlying
database, so attacker can bypass restrictions by directly querying the
User can avoid lockouts by using an API instead of
the GUI to conduct brute force password
FTP service can not be disabled even when other
access controls would require it.
Windows named pipe created without
authentication/access control, allowing configuration
Router management interface spawns a separate TCP
connection after authentication, allowing hijacking by attacker coming from
the same IP address.
Phase: Architecture and Design
Identify all alternate channels and use the same protection mechanisms
that are used for the primary channels.
This can be primary to authentication errors, and resultant from unhandled
Mapped Taxonomy Name Node ID Fit Mapped Node Name
PLOVER Unprotected Alternate Channel
Submissions Submission Date Submitter Organization Source PLOVER Externally Mined Modifications Modification Date Modifier Organization Source 2008-07-01 Eric Dalci Cigital External updated Potential_Mitigations,
Time_of_Introduction 2008-09-08 CWE Content Team MITRE Internal updated Relationships, Relationship_Notes,
Taxonomy_Mappings 2011-06-01 CWE Content Team MITRE Internal updated Common_Consequences 2012-05-11 CWE Content Team MITRE Internal updated Relationships 2012-10-30 CWE Content Team MITRE Internal updated Potential_Mitigations 2013-07-17 CWE Content Team MITRE Internal updated Applicable_Platforms, Potential_Mitigations,
Relationships 2014-07-30 CWE Content Team MITRE Internal updated Relationships
More information is available — Please select a different filter.