All posts by rocco

CWE

CWE-1293 – Missing Source Correlation of Multiple Independent Data

Read Time:54 Second

Description

The software relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-345
CWE-654

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Gain Privileges or Assume Identity

An attacker that may be able to execute a single Person-in-the-Middle attack can subvert a check of an external oracle (e.g. the ACME protocol check for a file on a website), and thus inject an arbitrary reply to the single perspective request to the external oracle.

 

Potential Mitigations

Phase: Requirements

Description: 

Design system to use a Practical Byzantine fault method, to request information from multiple sources to verify the data and report on potentially compromised information sources.

Phase: Implementation

Description: 

Failure to use a Practical Byzantine fault method when requesting data. Lack of place to report potentially compromised information sources. Relying on non-independent information sources for integrity checking. Failure to report information sources that respond in the minority to incident response procedures.

CVE References

CWE

CWE-1294 – Insecure Security Identifier Mechanism

Read Time:33 Second

Description

The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality, Integrity, Availability, Access Control: Modify Memory, Read Memory, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Quality Degradation

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Security Identifier Decoders must be reviewed for design inconsistency and common weaknesses.

Phase: Implementation

Description: 

Access and programming flows must be tested in pre-silicon and post-silicon testing.

CVE References

CWE

CWE-1295 – Debug Messages Revealing Unnecessary Information

Read Time:27 Second

Description

The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-200
CWE-209

 

Consequences

Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Read Memory, Bypass Protection Mechanism, Gain Privileges or Assume Identity, Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

Ensure that a debug message does not reveal any unnecessary information during the debug process for the intended response.

CVE References

CWE

CWE-1296 – Incorrect Chaining or Granularity of Debug Components

Read Time:1 Minute, 6 Second

Description

The product’s debug components contain incorrect chaining or granularity of debug components.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality, Integrity, Access Control, Authentication, Authorization, Availability, Accountability: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands, Modify Memory, Modify Files or Directories

Depending on the access to debug component(s) erroneously granted, an attacker could use the debug component to gain additional understanding about the system to further an attack and/or execute other commands. This could compromise any security property, including the ones listed above.

 

Potential Mitigations

Phase: Implementation

Description: 

Ensure that debug components are properly chained and their granularity is maintained at different authentication levels.

CVE References

  • CVE-2017-18347
    • Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device’s protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection.
  • CVE-2020-1791
    • There is an improper authorization vulnerability in several smartphones. The system has a logic-judging error, and, under certain scenarios, a successful exploit could allow the attacker to switch to third desktop after a series of operations in ADB mode. (Vulnerability ID: HWPSIRT-2019-10114).
CWE

CWE-1297 – Unprotected Confidential Information on Device is Accessible by OSAT Vendors

Read Time:34 Second

Description

The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-285

 

Consequences

Confidentiality, Integrity, Access Control, Authentication, Authorization, Availability, Accountability, Non-Repudiation: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands, Modify Memory, Modify Files or Directories

The impact depends on the confidential information itself and who is inadvertently granted access. For example, if the confidential information is a key that can unlock all the parts of a generation, the impact could be severe.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: Moderate

Description: 

CVE References

CWE

CWE-1298 – Hardware Logic Contains Race Conditions

Read Time:36 Second

Description

A race condition in the hardware logic results in undermining security guarantees of the system.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-362

 

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity, Alter Execution Logic

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Adopting design practices that encourage designers to recognize and eliminate race conditions, such as Karnaugh maps, could result in the decrease in occurrences of race conditions.

Phase: Implementation

Description: 

Logic redundancy can be implemented along security critical paths to prevent race conditions. To avoid metastability, it is a good practice in general to default to a secure state in which access is not given to untrusted agents.

CVE References

CWE

CWE-1299 – Missing Protection Mechanism for Alternate Hardware Interface

Read Time:58 Second

Description

The lack of protections on alternate paths to access
control-protected assets (such as unprotected shadow registers
and other external facing unguarded interfaces) allows an
attacker to bypass existing protections to the asset that are
only performed against the primary path.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1191
CWE-420
CWE-288

 

Consequences

Confidentiality, Integrity, Availability, Access Control: Modify Memory, Read Memory, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Alter Execution Logic, Bypass Protection Mechanism, Quality Degradation

 

Potential Mitigations

Phase: Requirements

Effectiveness: Defense in Depth

Description: 

Protect assets from accesses against all potential interfaces and alternate paths.

Phase: Architecture and Design

Effectiveness: Defense in Depth

Description: 

Protect assets from accesses against all potential interfaces and alternate paths.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Protect assets from accesses against all potential interfaces and alternate paths.

CVE References

  • CVE-2017-18293
    • When GPIO is protected by blocking access
      to corresponding GPIO resource registers,
      protection can be bypassed by writing to the
      corresponding banked GPIO registers instead.
  • CVE-2020-15483
    • monitor device allows access to physical UART debug port without authentication
CWE

CWE-13 – ASP.NET Misconfiguration: Password in Configuration File

Read Time:24 Second

Description

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-260

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Implementation

Description: 

Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.

CVE References

CWE

CWE-130 – Improper Handling of Length Parameter Inconsistency

Read Time:4 Minute, 58 Second

Description

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-240
CWE-119
CWE-119
CWE-805

 

Consequences

Confidentiality, Integrity: Read Memory, Modify Memory, Varies by Context

 

Potential Mitigations

Phase: Implementation

Description: 

When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data.

Phase: Implementation

Description: 

Do not let the user control the size of the buffer.

Phase: Implementation

Description: 

Validate that the length of the user-supplied data is consistent with the buffer size.

CVE References

  • CVE-2014-0160
    • Chain: “Heartbleed” bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data.
  • CVE-2009-2299
    • Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.
  • CVE-2001-0825
    • Buffer overflow in internal string handling routine allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check.
  • CVE-2001-1186
    • Web server allows remote attackers to cause a denial of service via an HTTP request with a content-length value that is larger than the size of the request, which prevents server from timing out the connection.
  • CVE-2001-0191
    • Service does not properly check the specified length of a cookie, which allows remote attackers to execute arbitrary commands via a buffer overflow, or brute force authentication by using a short cookie length.
  • CVE-2003-0429
    • Traffic analyzer allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow.
  • CVE-2000-0655
    • Chat client allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1.
  • CVE-2004-0492
    • Server allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length HTTP header field causing a heap-based buffer overflow.
  • CVE-2004-0201
    • Help program allows remote attackers to execute arbitrary commands via a heap-based buffer overflow caused by a .CHM file with a large length field
  • CVE-2003-0825
    • Name services does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Can overlap zero-length issues
  • CVE-2004-0095
    • Policy manager allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value.
  • CVE-2004-0826
    • Heap-based buffer overflow in library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.
  • CVE-2004-0808
    • When domain logons are enabled, server allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided.
  • CVE-2002-1357
    • Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code.
  • CVE-2004-0774
    • Server allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1.
  • CVE-2004-0989
    • Multiple buffer overflows in xml library that may allow remote attackers to execute arbitrary code via long URLs.
  • CVE-2004-0568
    • Application does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.
  • CVE-2003-0327
    • Server allows remote attackers to cause a denial of service via a remote password array with an invalid length, which triggers a heap-based buffer overflow.
  • CVE-2003-0345
    • Product allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required.
  • CVE-2004-0430
    • Server allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.
  • CVE-2005-0064
    • PDF viewer allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.
  • CVE-2004-0413
    • SVN client trusts the length field of SVN protocol URL strings, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow.
  • CVE-2004-0940
    • Is effectively an accidental double increment of a counter that prevents a length check conditional from exiting a loop.
CWE

CWE-1300 – Improper Protection of Physical Side Channels

Read Time:59 Second

Description

The device does not contain sufficient protection
mechanisms to prevent physical side channels from exposing
sensitive information due to patterns in physically observable
phenomena such as variations in power consumption,
electromagnetic emissions (EME), or acoustic emissions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-203
CWE-203

 

Consequences

Confidentiality: Read Memory, Read Application Data

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Apply blinding or masking techniques to implementations of cryptographic algorithms.

Phase: Implementation

Description: 

Add shielding or tamper-resistant protections to the device to increase the difficulty of obtaining measurements of the side-channel.

CVE References

  • CVE-2021-3011
    • electromagnetic-wave side-channel in security-related microcontrollers allows extraction of private key
  • CVE-2013-4576
    • message encryption software uses certain instruction sequences that allows RSA key extraction using a chosen-ciphertext attack and acoustic cryptanalysis
  • CVE-2020-28368
    • virtualization product allows recovery of AES keys from the guest OS using a side channel attack against a power/energy monitoring interface.
  • CVE-2019-18673
    • power consumption varies based on number of pixels being illuminated in a display, allowing reading of secrets such as the PIN by using the USB interface to measure power consumption