CWE-420: Unprotected Alternate Channel
Learn about CWE-420 (Unprotected Alternate Channel), its security impact, exploitation methods, and prevention guidelines.
What is Unprotected Alternate Channel?
• Overview: This vulnerability occurs when a software product has a protected primary communication channel but fails to provide equivalent protection for an alternate channel, leaving it susceptible to attacks.
• Exploitation Methods:
- Attackers can intercept, modify, or inject unauthorized data through the unprotected alternate channel.
- Common attack patterns include man-in-the-middle (MitM) attacks, replay attacks, and data tampering through the weaker channel.
• Security Impact:
- Direct consequences include unauthorized access to data, data corruption, and potential data breaches.
- Potential cascading effects may lead to privilege escalation or further compromise of system integrity.
- Business impact could involve loss of customer trust, legal repercussions, and financial loss due to data breaches or service disruptions.
• Prevention Guidelines:
- Ensure all communication channels, both primary and alternate, utilize strong, consistent encryption and authentication mechanisms.
- Conduct thorough security assessments to identify and secure alternate channels.
- Use recommended tools and frameworks that enforce secure channel protection standards, such as TLS/SSL for data transmission.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
// This JavaScript server application uses HTTPS for secure communication on the primary channel
// but opens an unsecured HTTP channel for alternate communication, making it vulnerable.
// Attackers can intercept or manipulate HTTP traffic due to the lack of encryption.
const https = require('https');
const http = require('http');
const fs = require('fs');
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};
// Secure HTTPS server
https.createServer(options, (req, res) => {
res.writeHead(200);
res.end('Hello, Secure World!');
}).listen(443);
// Unsecured HTTP server
http.createServer((req, res) => {
res.writeHead(200);
res.end('Hello, Insecure World!');
}).listen(80);
How to fix Unprotected Alternate Channel?
The problem in the above code is that while the primary channel (HTTPS) is protected with TLS, the alternate channel (HTTP) is not secured. This can allow attackers to intercept or manipulate HTTP traffic. The fix is to ensure that all communication channels are encrypted and protected.
Steps to fix:
- Redirect all HTTP traffic to HTTPS to ensure encryption on all channels.
- Implement HSTS (HTTP Strict Transport Security) to enforce the use of HTTPS.
- Optionally, disable the HTTP server completely if it's not necessary.
Fixed Code Example
// Fixed version ensures all traffic is secured by redirecting HTTP to HTTPS.
// This prevents attackers from intercepting unencrypted traffic.
const https = require('https');
const http = require('http');
const fs = require('fs');
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};
// Secure HTTPS server with HSTS
https.createServer(options, (req, res) => {
res.writeHead(200, {
'Strict-Transport-Security': 'max-age=63072000; includeSubDomains; preload' // Enforces HTTPS
});
res.end('Hello, Secure World!');
}).listen(443);
// Redirect HTTP to HTTPS
http.createServer((req, res) => {
res.writeHead(301, { 'Location': 'https://' + req.headers.host + req.url }); // Permanent redirection
res.end();
}).listen(80);
In the fixed version:
- We redirect all HTTP traffic to the HTTPS server using a 301 status code to indicate a permanent redirection. This ensures that all client communications are encrypted.
- We've added the
Strict-Transport-Securityheader to enforce the use of HTTPS and prevent man-in-the-middle attacks by instructing browsers to only access the server over HTTPS.