Unprotected Alternate Channel

Draft Base

Structure: Simple

Description

This vulnerability occurs when an application secures its main communication path but leaves a backup or alternative channel with weaker or no protection.

Extended Description

Think of an application that uses strong encryption for its primary web login but sends password reset codes via unencrypted SMS. An attacker can ignore the fortified main door and easily intercept data through this neglected side channel. This creates a false sense of security, as the overall system is only as strong as its weakest point. Developers often focus all their security efforts on the obvious primary path, forgetting that attackers actively seek out these alternate, less-guarded routes. To prevent this, you must perform a thorough threat model that maps all data flows, not just the primary ones. Apply consistent security controls—like encryption, authentication, and integrity checks—across every channel that handles sensitive data or critical commands. Regularly test both primary and alternate paths during security assessments to ensure your defenses are uniform and comprehensive.

Common Consequences 1

Scope: Access Control

Impact: Gain Privileges or Assume IdentityBypass Protection Mechanism

Potential Mitigations 1

Phase: Architecture and Design

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

Demonstrative Examples 1

ID : DX-176

Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset). Though this example is shown in Verilog, it will apply to VHDL as well.

Code Example:

Informative

Verilog

module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @*

verilog

Code Example:

Bad

Verilog

assign addr_auth = (address == 32'hF00) ? 1: 0;

The bugged line of code is repeated in the Bad example above. The weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME. The address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.

Code Example:

Good

Verilog

assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;

Observed Examples 7

CVE-2020-8004When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).

CVE-2002-0567DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.

CVE-2002-1578Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.

CVE-2003-1035User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.

CVE-2002-1863FTP service can not be disabled even when other access controls would require it.

CVE-2002-0066Windows named pipe created without authentication/access control, allowing configuration modification.

CVE-2004-1461Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Operation

Related Weaknesses

ChildOf:

Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)

Taxonomy Mapping

PLOVER

Notes

RelationshipThis can be primary to authentication errors, and resultant from unhandled error conditions.