CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

Weakness ID: 923
Abstraction: Class
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Extended Description

Attackers might be able to spoof the intended endpoint from a different system or process, thus gaining the same level of access as the intended endpoint.

While this issue frequently involves authentication between network-based clients and servers, other types of communication channels and endpoints can have this weakness.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Integrity
Confidentiality

Technical Impact: Gain privileges / assume identity

If an attacker can spoof the endpoint, the attacker gains all the privileges that were intended for the original endpoint.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class284Improper Access Control
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant291Reliance on IP Address for Authentication
Research Concepts1000
ParentOfWeakness VariantWeakness Variant297Improper Validation of Certificate with Host Mismatch
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class300Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant350Reliance on Reverse DNS Resolution for a Security-Critical Action
Research Concepts1000
ParentOfWeakness BaseWeakness Base419Unprotected Primary Channel
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base420Unprotected Alternate Channel
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant925Improper Verification of Intent by Broadcast Receiver
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base940Improper Verification of Source of a Communication Channel
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base941Incorrectly Specified Destination in a Communication Channel
Development Concepts (primary)699
Research Concepts (primary)1000
CanFollowWeakness VariantWeakness Variant350Reliance on Reverse DNS Resolution for a Security-Critical Action
Research Concepts1000
+ Maintenance Notes

This entry will be made more comprehensive in later CWE versions.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2013-06-23MITREInternal CWE Team
Modifications
Modification DateModifierOrganizationSource
2014-02-18CWE Content TeamMITREInternal
updated Description, Name, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2014-02-18Improper Authentication of Endpoint in a Communication Channel

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017