Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-421: Race Condition During Access to Alternate Channel

Race Condition During Access to Alternate Channel
Weakness ID: 421 (Weakness Base)Status: Draft
+ Description

Description Summary

The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.

Extended Description

This creates a race condition that allows an attacker to access the channel before the authorized user does.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Common Consequences

Technical Impact: Gain privileges / assume identity; Bypass protection mechanism

+ Observed Examples
FTP "Pizza Thief" vulnerability. Attacker can connect to a port that was intended for use by another client.
Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Development Concepts699
Research Concepts1000
ChildOfWeakness BaseWeakness Base420Unprotected Alternate Channel
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory902SFP Cluster: Channel
Software Fault Pattern (SFP) Clusters (primary)888
+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERAlternate Channel Race Condition
+ References
Blake Watts. "Discovering and Exploiting Named Pipe Security Flaws for Fun and Profit". April 2002. <>.
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 13: Race Conditions." Page 205. McGraw-Hill. 2010.
+ Content History
Submission DateSubmitterOrganizationSource
Externally Mined
Modification DateModifierOrganizationSource
updated Potential_Mitigations, Time_of_Introduction
updated Relationships, Observed_Example, Other_Notes, Taxonomy_Mappings, Type
updated Description
updated References
updated Common_Consequences
updated References, Relationships
updated Potential_Mitigations
updated Other_Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Alternate Channel Race Condition
Page Last Updated: June 23, 2014