logo

Authentication Bypass Using an Alternate Path or Channel

Incomplete Base
Structure: Simple
Description

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Common Consequences 1
Scope: Access Control

Impact: Bypass Protection Mechanism
Potential Mitigations 1
Phase: Architecture and Design
Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
Demonstrative Examples 1

ID : DX-176

Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset). Though this example is shown in Verilog, it will apply to VHDL as well.

Code Example:

Informative
Verilog

module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @*

verilog

Code Example:

Bad
Verilog

assign addr_auth = (address == 32'hF00) ? 1: 0;

The bugged line of code is repeated in the Bad example above. Weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME, the address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.

Code Example:

Good
Verilog

assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;
Observed Examples 7
CVE-2000-1179Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.
CVE-1999-1454Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.
CVE-1999-1077OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.
CVE-2003-0304Direct request of installation file allows attacker to create administrator accounts.
CVE-2002-0870Attackers may gain additional privileges by directly requesting the web management URL.
CVE-2002-0066Bypass authentication via direct request to named pipe.
CVE-2003-1035User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Architecture and Design
Related Attack Patterns
Related Weaknesses
ChildOf: Missing Authentication for Critical Function (CWE-306)
ChildOf: Improper Access Control (CWE-284)
PeerOf: Unprotected Alternate Channel (CWE-420)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2007
Notes
Relationshipoverlaps Unprotected Alternate Channel