CWE-1284 – Improper Validation of Specified Quantity in Input

Read Time:33 Second

Description

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-20

 

Consequences

Other: Varies by Context

Since quantities are used so often to affect resource allocation or process financial data, they are often present in many places in the code.

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

CVE References

  • CVE-2008-1440
    • lack of validation of length field leads to infinite loop
  • CVE-2008-2374
    • lack of validation of string length fields allows memory consumption or buffer over-read

CWE-1283 – Mutable Attestation or Measurement Reporting Data

Read Time:15 Second

Description

The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality: Read Memory, Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References

CWE-1282 – Assumed-Immutable Data is Stored in Writable Memory

Read Time:21 Second

Description

Immutable data, such as a first-stage bootloader, device identifiers, and “write-once” configuration settings are stored in writable memory that can be re-programmed or updated in the field.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-668
CWE-471

 

Consequences

Integrity: Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

All immutable code or data should be programmed into ROM or write-once memory.

CVE References

CWE-1281 – Sequence of Processor Instructions Leads to Unexpected Behavior

Read Time:38 Second

Description

Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-691

 

Consequences

Integrity, Availability: Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Implement a rigorous testing strategy that incorporates randomization to explore instruction sequences that are unlikely to appear in normal workloads in order to identify halt and catch fire instruction sequences.

Phase: Patching and Maintenance

Description: 

Patch operating system to avoid running Halt and Catch Fire type sequences or to mitigate the damage caused by unexpected behavior. See [REF-1108].

CVE References

  • CVE-1999-1476
    • A bug in some Intel Pentium processors allow DoS (hang) via an invalid “CMPXCHG8B” instruction, causing a deadlock

CWE-1280 – Access Control Check Implemented After Asset is Accessed

Read Time:23 Second

Description

A product’s hardware-based access control check occurs after the asset has been accessed.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-696
CWE-284

 

Consequences

Access Control, Confidentiality, Integrity: Modify Memory, Read Memory, Modify Application Data, Read Application Data, Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Implementation

Description: 

Implement the access control check first. Access should only be given to asset if agent is authorized.

CVE References

CWE-128 – Wrap-around Error

Read Time:1 Minute, 27 Second

Description

Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore “wraps around” to a very small, negative, or undefined value.

Due to how addition is performed by computers, if a primitive is incremented past the maximum value possible for its storage space, the system will not recognize this, and therefore increment each bit as if it still had extra space. Because of how negative numbers are represented in binary, primitives interpreted as signed may “wrap” to very large negative values.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-682
CWE-119
CWE-190

 

Consequences

Availability: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability

This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

Integrity: Modify Memory

If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.

Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands, Bypass Protection Mechanism

This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program’s implicit security policy.

 

Potential Mitigations

Phase:

Description: 

Requirements specification: The choice could be made to use a language that is not susceptible to these issues.

Phase: Architecture and Design

Description: 

Provide clear upper and lower bounds on the scale of any protocols designed.

Phase: Implementation

Description: 

Perform validation on all incremented variables to ensure that they remain within reasonable bounds.

CVE References

CWE-1279 – Cryptographic Operations are run Before Supporting Units are Ready

Read Time:49 Second

Description

Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.

Many cryptographic hardware units depend upon other hardware units to supply information to them to produce a securely encrypted result. For example, a cryptographic unit that depends on an external random-number-generator (RNG) unit for entropy must wait until the RNG unit is producing random numbers. If a cryptographic unit retrieves a private encryption key from a fuse unit, the fuse unit must be up and running before a key may be supplied.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-665

 

Consequences

Access Control, Confidentiality, Integrity, Availability, Accountability, Authentication, Authorization, Non-Repudiation: Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Best practices should be used to design cryptographic systems.

Phase: Implementation

Description: 

Continuously ensuring that cryptographic inputs are supplying valid information is necessary to ensure that the encrypted output is secure.

CVE References

CWE-1278 – Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques

Read Time:39 Second

Description

Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693

 

Consequences

Confidentiality: Varies by Context

A common goal of malicious actors who reverse engineer ICs is to produce and sell counterfeit versions of the IC.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

The cost of secret extraction via IC reverse engineering should outweigh the potential value of the secrets being extracted. Threat model and value of secrets should be used to choose the technology used to safeguard those secrets. Examples include IC camouflaging and obfuscation, tamper-proof packaging, active shielding, and physical tampering detection information erasure.

CVE References

CWE-1277 – Firmware Not Updateable

Read Time:1 Minute, 35 Second

Description

The product does not provide its
users with the ability to update or patch its
firmware to address any vulnerabilities or
weaknesses that may be present.

Without the ability to
patch or update firmware, consumers will be
left vulnerable to exploitation of any known
vulnerabilities, or any vulnerabilities that
are discovered in the future. This can expose
consumers to permanent risk throughout the
entire lifetime of the device, which could be
years or decades. Some external protective
measures and mitigations might be employed to
aid in preventing or reducing the risk of
malicious attack, but the root weakness cannot
be corrected.

Modes of Introduction:

– Requirements

 

 

Related Weaknesses

CWE-1329

 

Consequences

Confidentiality, Integrity, Access Control, Authentication, Authorization: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

If an attacker can identify an exploitable vulnerability in one device that has no means of patching, the attack may be used against an entire class of devices.

 

Potential Mitigations

Phase: Requirements

Description: 

Specify requirements to include the ability to update the firmware. Include integrity checks and authentication to ensure that untrusted firmware cannot be installed.

Phase: Architecture and Design

Description: 

Design the device to allow for updating the firmware. Ensure that the design specifies how to distribute the updates and ensure their integrity and authentication.

Phase: Implementation

Description: 

Implement the necessary functionality to allow the firmware to be updated.

CVE References

  • CVE-2020-9054
    • Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are “end-of-support” and cannot be patched (CWE-1277). [REF-1097]
  • [REF-1095]
    • A hardware “smart lock” has weak key generation that allows attackers to steal the key by BLE sniffing, but the device’s firmware cannot be upgraded and hence remains vulnerable [REF-1095].

CWE-1276 – Hardware Child Block Incorrectly Connected to Parent System

Read Time:21 Second

Description

Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality, Integrity, Availability: Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

System-level verification may be used to ensure that components are correctly connected and that design security requirements are not violated due to interactions between various IP blocks.

CVE References