2022年1月5日20:59:43评论51 views字数 1779阅读5分55秒阅读模式

CWE-420 未保护的候选通道

Unprotected Alternate Channel

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

The software protects a primary channel, but it does not use the same level of protection for an alternate channel.

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

范围	影响	注释
Access Control	['Gain Privileges or Assume Identity', 'Bypass Protection Mechanism']

策略:

Identify all alternate channels and use the same protection mechanisms that are used for the primary channels.

标识	说明	链接
CVE-2002-0567	DB server assumes that local clients have performed authentication, allowing attacker to directly connect to a process to load libraries and execute commands; a socket interface also exists (another alternate channel), so attack can be remote.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0567
CVE-2002-1578	Product does not restrict access to underlying database, so attacker can bypass restrictions by directly querying the database.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1578
CVE-2003-1035	User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1035
CVE-2002-1863	FTP service can not be disabled even when other access controls would require it.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1863
CVE-2002-0066	Windows named pipe created without authentication/access control, allowing configuration modification.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0066
CVE-2004-1461	Router management interface spawns a separate TCP connection after authentication, allowing hijacking by attacker coming from the same IP address.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1461

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Unprotected Alternate Channel

文章来源于互联网:scap中文网