Read Time:44 Second

Description

The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-226
CWE-200

 

Consequences

Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Read Memory, Read Application Data

Sensitive information may be used to unlock additional capabilities of the device and take advantage of hidden functionalities which could be used to compromise device security.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

During state transitions, information not needed in the next state should be removed before the transition to the next state.

CVE References

  • CVE-2020-12926
    • Product software does not set a flag as per TPM specifications, thereby preventing a failed authorization attempt from being recorded after a loss of power.