CWE-1274 – Improper Access Control for Volatile Memory Containing Boot Code

Read Time:40 Second

Description

The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Access Control, Integrity: Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code.

Phase: Testing

Description: 

Test the volatile-memory protections to ensure they are safe from modification or untrusted code.

CVE References

  • CVE-2019-2267
    • Locked memory regions may be modified through other interfaces in a secure-boot-loader image due to improper access control.