logo

Channel Accessible by Non-Endpoint

Draft Class
Structure: Simple
Description

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Extended Description

In order to establish secure communication between two parties, it is often important to adequately verify the identity of entities at each end of the communication channel. Inadequate or inconsistent verification may result in insufficient or incorrect identification of either communicating entity. This can have negative consequences such as misplaced trust in the entity at the other end of the channel. An attacker can leverage this by interposing between the communicating entities and masquerading as the original entity. In the absence of sufficient verification of identity, such an attacker can eavesdrop and potentially modify the communication between the original entities.
Common Consequences 1
Scope: ConfidentialityIntegrityAccess Control

Impact: Read Application DataModify Application DataGain Privileges or Assume Identity

An attacker could pose as one of the entities and read or possibly modify the communication.
Detection Methods 3
Automated Dynamic Analysis
Some tools can act as proxy servers that allow the tester to intercept packets or messages, inspect them, and modify them before sending them to the destination in order to see if the modified packets are still accepted by the receiving component.
Automated Dynamic Analysis
Dynamic Application Security Testing (DAST) tools can be used to detect network traffic without encryption and/or verification. The affected protocol may be subject to Adversary-in-the-Middle attacks. Some tools act as proxy servers that allow the tester to inspect and modify packets/messages to see if they are still accepted by the receiving component.
Automated Static AnalysisModerate
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) The analysis could identify use of protocols that are subject to Adversary-in-the-Middle attacks.
Potential Mitigations 3
Phase: Implementation
Always fully authenticate both ends of any communications channel.
Phase: Architecture and Design
Adhere to the principle of complete mediation.
Phase: Implementation
A certificate binds an identity to a cryptographic key to authenticate a communicating party. Often, the certificate takes the encrypted form of the hash of the identity of the subject, the public key, and information such as time of issue or expiration using the issuer's private key. The certificate can be validated by deciphering the certificate with the issuer's public key. See also X.509 certificate signature chains and the PGP certification structure.
Demonstrative Examples 1
In the Java snippet below, data is sent over an unencrypted channel to a remote server.

Code Example:

Bad
Java
java

// Write data to remote host via socket output stream.* ...}

By eavesdropping on the communication channel or posing as the endpoint, an attacker would be able to read all of the transmitted data.
Observed Examples 1
CVE-2014-1266chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). Incorrect Control Flow Scoping (Incorrect Control Flow Scoping) -> Dead Code (Dead Code) -> Improper Certificate Validation (Improper Certificate Validation) -> Return of Wrong Status Code (Return of Wrong Status Code) -> Channel Accessible by Non-Endpoint (Channel Accessible by Non-Endpoint).
References 1
Computer Security: Art and Science
M. Bishop
Addison-Wesley
2003
ID: REF-244
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Related Attack Patterns
Alternate Terms

Adversary-in-the-Middle / AITM

Attacker-in-the-Middle / AITM

Man-in-the-Middle / MITM

Person-in-the-Middle / PITM

Monkey-in-the-Middle

Monster-in-the-Middle

Manipulator-in-the-Middle

On-path attack

Interception attack
Related Weaknesses
ChildOf: Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)
Taxonomy Mapping
  • PLOVER
  • WASC
  • The CERT Oracle Secure Coding Standard for Java (2011)
Notes
MaintenanceThe summary identifies multiple distinct possibilities, suggesting that this is a category that must be broken into more specific weaknesses.