CWE-1257 – Improper Access Control Applied to Mirrored or Aliased Memory Regions

Read Time:45 Second

Description

Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284
CWE-119

 

Consequences

Confidentiality: Read Memory

Integrity: Modify Memory

Availability: DoS: Instability

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

The checks should be applied for consistency access rights between primary memory regions and any mirrored or aliased memory regions. If different memory protection units (MPU) are protecting the aliased regions, their protected range definitions and policies should be synchronized.

Phase: Architecture and Design, Implementation

Description: 

The controls that allow enabling memory aliases or changing the size of mapped memory regions should only be programmable by trusted software components.

CVE References

CWE-1256 – Improper Restriction of Software Interfaces to Hardware Features

Read Time:55 Second

Description

The product provides software-controllable
device functionality for capabilities such as power and
clock management, but it does not properly limit
functionality that can lead to modification of
hardware memory or register bits, or the ability to
observe physical side channels.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-285

 

Consequences

Integrity: Modify Memory, Modify Application Data, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

CVE References

  • CVE-2019-11157
    • Plundervolt: Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access [REF-1081].
  • CVE-2020-8694
    • PLATYPUS Attack: Insufficient access control in the Linux kernel driver for some Intel processors allows information disclosure.
  • CVE-2020-8695
    • Observable discrepancy in the RAPL interface for some Intel processors allows information disclosure.
  • CVE-2020-12912
    • AMD extension to a Linux service does not require privileged access to the RAPL interface, allowing side-channel attacks.
  • CVE-2015-0565
    • NaCl in 2015 allowed the CLFLUSH instruction, making Rowhammer attacks possible.

CWE-1255 – Comparison Logic is Vulnerable to Power Side-Channel Attacks

Read Time:1 Minute, 35 Second

Description

A device’s real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1300
CWE-1259

 

Consequences

Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Modify Memory, Read Memory, Read Files or Directories, Modify Files or Directories, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, Hide Activities

As compromising a security token may result in complete system control, the impacts are relatively universal

 

Potential Mitigations

Phase: Architecture and Design

Description: 

The design phase must consider each check of a security token against a standard and the amount of power consumed during the check of a good token versus a bad token. The alternative is an all at once check where a retry counter is incremented PRIOR to the check.

Phase: Architecture and Design

Description: 

Another potential mitigation is to parallelize shifting of secret data (see example 2 below). Note that the wider the bus the more effective the result.

Phase: Architecture and Design

Description: 

An additional potential mitigation is to add random data to each crypto operation then subtract it out afterwards. This is highly effective but costly in performance, area, and power consumption. It also requires a random number generator.

Phase: Implementation

Description: 

If the architecture is unable to prevent the attack, using filtering components may reduce the ability to implement an attack, however, consideration must be given to the physical removal of the filter elements.

Phase: Integration

Description: 

During integration, avoid use of a single secret for an extended period (e.g. frequent key updates). This limits the amount of data compromised but at the cost of complexity of use.

CVE References

  • CVE-2020-12788
    • CMAC verification vulnerable to timing and power attacks.

CWE-1254 – Incorrect Comparison Logic Granularity

Read Time:44 Second

Description

The product’s comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-208
CWE-697

 

Consequences

Confidentiality, Authorization: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Implementation

Description: 

CVE References

  • CVE-2014-0984
    • The passwordCheck function in SAP Router 721 patch 117, 720 patch 411, 710 patch 029, and earlier terminates validation of a Route Permission Table entry password upon encountering the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.

CWE-1253 – Incorrect Selection of Fuse Values

Read Time:33 Second

Description

The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693

 

Consequences

Access Control, Authorization: Bypass Protection Mechanism, Gain Privileges or Assume Identity

Availability: DoS: Crash, Exit, or Restart

Confidentiality: Read Memory

Integrity: Modify Memory, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Logic should be designed in a way that blown fuses do not put the product into an insecure state that can be leveraged by an attacker.

CVE References

CWE-1252 – CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

Read Time:19 Second

Description

The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality, Integrity: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Integration

Description: 

CVE References

CWE-1251 – Mirrored Regions with Different Values

Read Time:15 Second

Description

The product’s architecture mirrors regions without ensuring that their contents always stay in sync.

Modes of Introduction:

 

 

Related Weaknesses

CWE-1250

 

Consequences

Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: Moderate

Description: 

CVE References

CWE-1250 – Improper Preservation of Consistency Between Independent Representations of Shared State

Read Time:18 Second

Description

The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data – such as state or cache – but the product does not ensure that all local copies remain consistent with each other.

Modes of Introduction:

 

 

Related Weaknesses

CWE-664

 

Consequences

 

Potential Mitigations

CVE References

CWE-125 – Out-of-bounds Read

Read Time:2 Minute, 9 Second

Description

The software reads data past the end, or before the beginning, of the intended buffer.

Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-119
CWE-119
CWE-119
CWE-119

 

Consequences

Confidentiality: Read Memory

Confidentiality: Bypass Protection Mechanism

By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Architecture and Design

Description: 

Use a language that provides appropriate memory abstractions.

CVE References

  • CVE-2014-0160
    • Chain: “Heartbleed” bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data.
  • CVE-2018-10887
    • Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
  • CVE-2009-2523
    • Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
  • CVE-2018-16069
    • Chain: series of floating-point precision errors
      (CWE-1339) in a web browser rendering engine causes out-of-bounds read
      (CWE-125), giving access to cross-origin data
  • CVE-2004-0183
    • packet with large number of specified elements cause out-of-bounds read.
  • CVE-2004-0221
    • packet with large number of specified elements cause out-of-bounds read.
  • CVE-2004-0184
    • out-of-bounds read, resultant from integer underflow
  • CVE-2008-4113
    • OS kernel trusts userland-supplied length value, allowing reading of sensitive information

CWE-1249 – Application-Level Admin Tool with Inconsistent View of Underlying Operating System

Read Time:26 Second

Description

The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application’s model of the OS’s state is inconsistent with the OS’s actual state.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1250

 

Consequences

Access Control: Varies by Context

Accountability: Hide Activities

Other: Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

CVE References