{"@ID": "420", "@Name": "Unprotected Alternate Channel", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product protects a primary channel, but it does not use the same level of protection for an alternate channel.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "923", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase."}, {"Phase": "Implementation"}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": ["Gain Privileges or Assume Identity", "Bypass Protection Mechanism"]}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Architecture and Design", "Description": "Identify all alternate channels and use the same protection mechanisms that are used for the primary channels."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-176", "Intro_Text": {"xhtml:p": ["Register SECURE_ME is located at address 0xF00. A\n                 mirror of this register called COPY_OF_SECURE_ME is\n                 at location 0x800F00. The register SECURE_ME is\n                 protected from malicious agents and only allows\n                 access to select, while COPY_OF_SECURE_ME is not.", "Access control is implemented using an allowlist (as\n                 indicated by acl_oh_allowlist). The identity of the\n                 initiator of the transaction is indicated by the\n                 one hot input, incoming_id. This is checked against\n                 the acl_oh_allowlist (which contains a list of\n                 initiators that are allowed to access the asset).", "Though this example is shown in Verilog, it will\n                 apply to VHDL as well."]}, "Example_Code": [{"@Nature": "Informative", "@Language": "Verilog", "xhtml:br": [null, null, null, null, null, null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "acl_oh_allowlist <= 32'h8312;"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "q <= 32'h0;\n                     data_out <= 32'h0;"}, "#text": "begin\n                   \n                   end"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "q <= (addr_auth & write_auth) ? data_in: q;\n                     data_out <= q;"}, "#text": "begin\n                   \n                   end"}], "#text": "if (!rst_n)\n                 \n                 else\n                 \n                 end"}], "#text": "module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n);\n               output [31:0] data_out;\n               input [31:0] data_in, incoming_id, address;\n               input clk, rst_n;\n               wire write_auth, addr_auth;\n               reg [31:0] data_out, acl_oh_allowlist, q;\n               assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; \n               always @*\n               \n               assign addr_auth = (address == 32'hF00) ? 1: 0;\n               always @ (posedge clk or negedge rst_n)\n               \n               endmodule"}, {"@Nature": "Bad", "@Language": "Verilog", "#text": "assign addr_auth = (address == 32'hF00) ? 1: 0;"}, {"@Nature": "Good", "@Language": "Verilog", "#text": "assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;"}], "Body_Text": "The bugged line of code is repeated in the Bad\n             example above. The weakness arises from the fact that the\n             SECURE_ME register can be modified by writing to the\n             shadow register COPY_OF_SECURE_ME. The address of\n             COPY_OF_SECURE_ME should also be included in the check.\n             That buggy line of code should instead be replaced as\n             shown in the Good Code Snippet below."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2020-8004", "Description": "When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-8004"}, {"Reference": "CVE-2002-0567", "Description": "DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0567"}, {"Reference": "CVE-2002-1578", "Description": "Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1578"}, {"Reference": "CVE-2003-1035", "Description": "User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-1035"}, {"Reference": "CVE-2002-1863", "Description": "FTP service can not be disabled even when other access controls would require it.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1863"}, {"Reference": "CVE-2002-0066", "Description": "Windows named pipe created without authentication/access control, allowing configuration modification.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0066"}, {"Reference": "CVE-2004-1461", "Description": "Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-1461"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "PLOVER", "Entry_Name": "Unprotected Alternate Channel"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Relationship", "#text": "This can be primary to authentication errors, and resultant from unhandled error conditions."}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Relationship_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-07-17", "Modification_Version": "2.5", "Modification_ReleaseDate": "2013-07-17", "Modification_Comment": "updated Applicable_Platforms, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}]}}
