Observable Behavioral Discrepancy With Equivalent Products

Draft Variant

Structure: Simple

Description

This vulnerability occurs when a system that should remain anonymous behaves differently than other products with the same purpose, allowing attackers to detect and identify it.

Extended Description

In many environments, multiple products perform identical functions—like web servers or firewalls. Attackers use 'fingerprinting' techniques to spot subtle behavioral differences between them, such as unique error messages, response headers, or timing patterns. Once they identify the specific product, they can launch targeted, efficient attacks against its known weaknesses. While some organizations openly disclose their technology stack, others—like those in high-security or intelligence operations—require complete anonymity. In these contexts, any observable discrepancy in behavior becomes a security risk. It can reveal the product's vendor, version, or configuration, undermining the protection that anonymity provides and making the system a clearer target for exploitation.

Common Consequences 1

Scope: ConfidentialityAccess Control

Impact: Read Application DataBypass Protection Mechanism

Observed Examples 3

CVE-2002-0208Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.

CVE-2004-2252Behavioral infoleak by responding to SYN-FIN packets.

CVE-2000-1142Honeypot generates an error with a "pwd" command in a particular directory, allowing attacker to know they are in a honeypot system.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

ChildOf:

Observable Behavioral Discrepancy (CWE-205)

Taxonomy Mapping

PLOVER