Description
The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.
This creates a race condition that allows an attacker to access the channel before the authorized user does.
Potential Impact
Access Control
Gain Privileges or Assume Identity, Bypass Protection Mechanism
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-1999-0351 | FTP "Pizza Thief" vulnerability. Attacker can connect to a port that was intended for use by another client. |
| CVE-2003-0230 | Product creates Windows named pipe during authentication that another attacker can hijack by connecting to it. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Alternate Channel Race Condition
Frequently Asked Questions
What is CWE-421?
CWE-421 (Race Condition During Access to Alternate Channel) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.
How can CWE-421 be exploited?
Attackers can exploit CWE-421 (Race Condition During Access to Alternate Channel) to gain privileges or assume identity, bypass protection mechanism. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-421?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-421?
CWE-421 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.