Description
The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-226
CWE-200
Consequences
Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation: Read Memory, Read Application Data
Sensitive information may be used to unlock additional capabilities of the device and take advantage of hidden functionalities which could be used to compromise device security.
Potential Mitigations
Phase: Architecture and Design, Implementation
Description:
During state transitions, information not needed in the next state should be removed before the transition to the next state.
CVE References
- CVE-2020-12926
- Product software does not set a flag as per TPM specifications, thereby preventing a failed authorization attempt from being recorded after a loss of power.
