CWE-288: Authentication Bypass Using an Alternate Path or Channel

Description

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

Register SECURE_ME is located at address 0xF00. A
                 mirror of this register called COPY_OF_SECURE_ME is
                 at location 0x800F00. The register SECURE_ME is
                 protected from malicious agents and only allows
                 access to select, while COPY_OF_SECURE_ME is not. 
                
                
                 Access control is implemented using an allowlist (as
                 indicated by acl_oh_allowlist). The identity of the
                 initiator of the transaction is indicated by the
                 one hot input, incoming_id. This is checked against
                 the acl_oh_allowlist (which contains a list of
                 initiators that are allowed to access the asset). 
                
                
                 Though this example is shown in Verilog, it will
                 apply to VHDL as well.

Informative

module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n);
               output [31:0] data_out;
               input [31:0] data_in, incoming_id, address;
               input clk, rst_n;
               wire write_auth, addr_auth;
               reg [31:0] data_out, acl_oh_allowlist, q;
               assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; 
               always @*
               
                 acl_oh_allowlist <= 32'h8312; 
               
               assign addr_auth = (address == 32'hF00) ? 1: 0;
               always @ (posedge clk or negedge rst_n)
               
                 if (!rst_n)
                 
                   begin
                   
                     q <= 32'h0;
                     data_out <= 32'h0;
                   
                   end
                 
                 else
                 
                   begin
                   
                     q <= (addr_auth & write_auth) ? data_in: q;
                     data_out <= q;
                   
                   end
                 
                 end
               
               endmodule

Bad

assign addr_auth = (address == 32'hF00) ? 1: 0;

The bugged line of code is repeated in the Bad
             example above. Weakness arises from the fact that the
             SECURE_ME register can be modified by writing to the
             shadow register COPY_OF_SECURE_ME, the address of
             COPY_OF_SECURE_ME should also be included in the check.
             That buggy line of code should instead be replaced as
             shown in the Good Code Snippet below. 
             

Good

assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;

Mitigations & Prevention

Architecture and Design

Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

Real-World CVE Examples

CVE ID	Description
CVE-2000-1179	Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.
CVE-1999-1454	Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.
CVE-1999-1077	OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable
CVE-2003-0304	Direct request of installation file allows attacker to create administrator accounts.
CVE-2002-0870	Attackers may gain additional privileges by directly requesting the web management URL.
CVE-2002-0066	Bypass authentication via direct request to named pipe.
CVE-2003-1035	User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.

Taxonomy Mappings

PLOVER: — Authentication Bypass by Alternate Path/Channel
OWASP Top Ten 2007: A10 — Failure to Restrict URL Access

Frequently Asked Questions

What is CWE-288?

CWE-288 (Authentication Bypass Using an Alternate Path or Channel) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product requires authentication, but the product has an alternate path or channel that does not require authentication.

How can CWE-288 be exploited?

Attackers can exploit CWE-288 (Authentication Bypass Using an Alternate Path or Channel) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Architecture and Design phase of software development.

How do I prevent CWE-288?

Key mitigations include: Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.

What is the severity of CWE-288?

CWE-288 is classified as a Base-level weakness (Medium abstraction). It has been observed in 7 real-world CVEs.

Description

Potential Impact

Access Control

Demonstrative Examples

Mitigations & Prevention

Real-World CVE Examples

Related Weaknesses

CWE-306: Missing Authentication for Critical Function

CWE-284: Improper Access Control

CWE-420: Unprotected Alternate Channel

Taxonomy Mappings

Frequently Asked Questions