Unprotected Alternate Channel

Draft Base

Structure: Simple

Description

The product protects a primary channel, but it does not use the same level of protection for an alternate channel.

Common Consequences 1

Scope: Access Control

Impact: Gain Privileges or Assume IdentityBypass Protection Mechanism

Potential Mitigations 1

Phase: Architecture and Design

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

Demonstrative Examples 1

ID : DX-176

Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by acl_oh_allowlist). The identity of the initiator of the transaction is indicated by the one hot input, incoming_id. This is checked against the acl_oh_allowlist (which contains a list of initiators that are allowed to access the asset). Though this example is shown in Verilog, it will apply to VHDL as well.

Code Example:

Informative

Verilog

module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @*

verilog

Code Example:

Bad

Verilog

assign addr_auth = (address == 32'hF00) ? 1: 0;

The bugged line of code is repeated in the Bad example above. The weakness arises from the fact that the SECURE_ME register can be modified by writing to the shadow register COPY_OF_SECURE_ME. The address of COPY_OF_SECURE_ME should also be included in the check. That buggy line of code should instead be replaced as shown in the Good Code Snippet below.

Code Example:

Good

Verilog

assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;

Observed Examples 7

CVE-2020-8004When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).

CVE-2002-0567DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.

CVE-2002-1578Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.

CVE-2003-1035User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.

CVE-2002-1863FTP service can not be disabled even when other access controls would require it.

CVE-2002-0066Windows named pipe created without authentication/access control, allowing configuration modification.

CVE-2004-1461Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Operation

Related Weaknesses

ChildOf:

Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)

Taxonomy Mapping

PLOVER

Notes

RelationshipThis can be primary to authentication errors, and resultant from unhandled error conditions.