Read Time:1 Minute, 6 Second
Description
The product’s debug components contain incorrect chaining or granularity of debug components.
Modes of Introduction:
– Implementation
Related Weaknesses
CWE-284
Consequences
Confidentiality, Integrity, Access Control, Authentication, Authorization, Availability, Accountability: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands, Modify Memory, Modify Files or Directories
Depending on the access to debug component(s) erroneously granted, an attacker could use the debug component to gain additional understanding about the system to further an attack and/or execute other commands. This could compromise any security property, including the ones listed above.
Potential Mitigations
Phase: Implementation
Description:
Ensure that debug components are properly chained and their granularity is maintained at different authentication levels.
CVE References
- CVE-2017-18347
- Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device’s protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection.
- CVE-2020-1791
- There is an improper authorization vulnerability in several smartphones. The system has a logic-judging error, and, under certain scenarios, a successful exploit could allow the attacker to switch to third desktop after a series of operations in ADB mode. (Vulnerability ID: HWPSIRT-2019-10114).
