{"@ID": "288", "@Name": "Authentication Bypass Using an Alternate Path or Channel", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "@Diagram": "/data/images/CWE-288-Diagram.png", "Description": "The product requires authentication, but the product has an alternate path or channel that does not require authentication.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "306", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "284", "@View_ID": "1340", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "420", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}, {"@Class": "Web Based", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic."}, {"Phase": "Architecture and Design", "Note": "This is often seen in web applications that assume that access to a particular CGI program can only be obtained through a \"front\" screen, when the supporting programs are directly accessible. But this problem is not just in web apps."}]}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Bypass Protection Mechanism"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Architecture and Design", "Description": "Funnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-176", "Intro_Text": {"xhtml:p": ["Register SECURE_ME is located at address 0xF00. A\n                 mirror of this register called COPY_OF_SECURE_ME is\n                 at location 0x800F00. The register SECURE_ME is\n                 protected from malicious agents and only allows\n                 access to select, while COPY_OF_SECURE_ME is not.", "Access control is implemented using an allowlist (as\n                 indicated by acl_oh_allowlist). The identity of the\n                 initiator of the transaction is indicated by the\n                 one hot input, incoming_id. This is checked against\n                 the acl_oh_allowlist (which contains a list of\n                 initiators that are allowed to access the asset).", "Though this example is shown in Verilog, it will\n                 apply to VHDL as well."]}, "Example_Code": [{"@Nature": "Informative", "@Language": "Verilog", "xhtml:br": [null, null, null, null, null, null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "acl_oh_allowlist <= 32'h8312;"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "q <= 32'h0;\n                     data_out <= 32'h0;"}, "#text": "begin\n                   \n                   end"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "q <= (addr_auth & write_auth) ? data_in: q;\n                     data_out <= q;"}, "#text": "begin\n                   \n                   end"}], "#text": "if (!rst_n)\n                 \n                 else\n                 \n                 end"}], "#text": "module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n);\n               output [31:0] data_out;\n               input [31:0] data_in, incoming_id, address;\n               input clk, rst_n;\n               wire write_auth, addr_auth;\n               reg [31:0] data_out, acl_oh_allowlist, q;\n               assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; \n               always @*\n               \n               assign addr_auth = (address == 32'hF00) ? 1: 0;\n               always @ (posedge clk or negedge rst_n)\n               \n               endmodule"}, {"@Nature": "Bad", "@Language": "Verilog", "#text": "assign addr_auth = (address == 32'hF00) ? 1: 0;"}, {"@Nature": "Good", "@Language": "Verilog", "#text": "assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;"}], "Body_Text": "The bugged line of code is repeated in the Bad\n             example above. Weakness arises from the fact that the\n             SECURE_ME register can be modified by writing to the\n             shadow register COPY_OF_SECURE_ME, the address of\n             COPY_OF_SECURE_ME should also be included in the check.\n             That buggy line of code should instead be replaced as\n             shown in the Good Code Snippet below."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2000-1179", "Description": "Router allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.", "Link": "https://www.cve.org/CVERecord?id=CVE-2000-1179"}, {"Reference": "CVE-1999-1454", "Description": "Attackers with physical access to the machine may bypass the password prompt by pressing the ESC (Escape) key.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-1454"}, {"Reference": "CVE-1999-1077", "Description": "OS allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-1077"}, {"Reference": "CVE-2003-0304", "Description": "Direct request of installation file allows attacker to create administrator accounts.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-0304"}, {"Reference": "CVE-2002-0870", "Description": "Attackers may gain additional privileges by directly requesting the web management URL.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0870"}, {"Reference": "CVE-2002-0066", "Description": "Bypass authentication via direct request to named pipe.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0066"}, {"Reference": "CVE-2003-1035", "Description": "User can avoid lockouts by using an API instead of the GUI to conduct brute force password guessing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-1035"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Authentication Bypass by Alternate Path/Channel"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A10", "Entry_Name": "Failure to Restrict URL Access", "Mapping_Fit": "CWE More Specific"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "127"}, {"@CAPEC_ID": "665"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Relationship", "#text": "overlaps Unprotected Alternate Channel"}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Description, Modes_of_Introduction, Name, Relationships, Observed_Example, Relationship_Notes, Taxonomy_Mappings, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-11-24", "Modification_Version": "1.1", "Modification_ReleaseDate": "2008-11-25", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Observed_Examples, Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-05-03", "Modification_Version": "2.11", "Modification_ReleaseDate": "2017-05-05", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-11-19", "Modification_Version": "4.16", "Modification_ReleaseDate": "2024-11-19", "Modification_Comment": "updated Description, Diagram"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships, Weakness_Ordinalities"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Abhi Balakrishnan", "Contribution_Date": "2024-09-29", "Contribution_Version": "4.16", "Contribution_ReleaseDate": "2024-11-19", "Contribution_Comment": "Contributed usability diagram concepts used by the CWE team"}, "Previous_Entry_Name": {"@Date": "2008-09-09", "#text": "Authentication Bypass by Alternate Path/Channel"}}}
