CWE-420: Unprotected Alternate Channel

Description

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

Potential Impact

Access Control

Gain Privileges or Assume Identity, Bypass Protection Mechanism

Demonstrative Examples

Register SECURE_ME is located at address 0xF00. A
                 mirror of this register called COPY_OF_SECURE_ME is
                 at location 0x800F00. The register SECURE_ME is
                 protected from malicious agents and only allows
                 access to select, while COPY_OF_SECURE_ME is not. 
                
                
                 Access control is implemented using an allowlist (as
                 indicated by acl_oh_allowlist). The identity of the
                 initiator of the transaction is indicated by the
                 one hot input, incoming_id. This is checked against
                 the acl_oh_allowlist (which contains a list of
                 initiators that are allowed to access the asset). 
                
                
                 Though this example is shown in Verilog, it will
                 apply to VHDL as well.

Informative

module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n);
               output [31:0] data_out;
               input [31:0] data_in, incoming_id, address;
               input clk, rst_n;
               wire write_auth, addr_auth;
               reg [31:0] data_out, acl_oh_allowlist, q;
               assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; 
               always @*
               
                 acl_oh_allowlist <= 32'h8312; 
               
               assign addr_auth = (address == 32'hF00) ? 1: 0;
               always @ (posedge clk or negedge rst_n)
               
                 if (!rst_n)
                 
                   begin
                   
                     q <= 32'h0;
                     data_out <= 32'h0;
                   
                   end
                 
                 else
                 
                   begin
                   
                     q <= (addr_auth & write_auth) ? data_in: q;
                     data_out <= q;
                   
                   end
                 
                 end
               
               endmodule

Bad

assign addr_auth = (address == 32'hF00) ? 1: 0;

The bugged line of code is repeated in the Bad
             example above. The weakness arises from the fact that the
             SECURE_ME register can be modified by writing to the
             shadow register COPY_OF_SECURE_ME. The address of
             COPY_OF_SECURE_ME should also be included in the check.
             That buggy line of code should instead be replaced as
             shown in the Good Code Snippet below. 
             

Good

assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;

Mitigations & Prevention

Architecture and Design

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

Real-World CVE Examples

CVE ID	Description
CVE-2020-8004	When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).
CVE-2002-0567	DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another a
CVE-2002-1578	Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.
CVE-2003-1035	User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
CVE-2002-1863	FTP service can not be disabled even when other access controls would require it.
CVE-2002-0066	Windows named pipe created without authentication/access control, allowing configuration modification.
CVE-2004-1461	Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.

Taxonomy Mappings

PLOVER: — Unprotected Alternate Channel

Frequently Asked Questions

What is CWE-420?

CWE-420 (Unprotected Alternate Channel) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

How can CWE-420 be exploited?

Attackers can exploit CWE-420 (Unprotected Alternate Channel) to gain privileges or assume identity, bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-420?

Key mitigations include: Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

What is the severity of CWE-420?

CWE-420 is classified as a Base-level weakness (Medium abstraction). It has been observed in 7 real-world CVEs.