Read Time:58 Second

Description

The product’s design or architecture is built from multiple separate components, but one or more components are not under complete control of the developer, such as a third-party software library or a physical component that is built by an original equipment manufacturer (OEM).

Modes of Introduction:

– Requirements

 

 

Related Weaknesses

CWE-710

 

Consequences

Other: Reduce Maintainability

 

Potential Mitigations

Phase: Architecture and Design, Implementation, Integration, Manufacturing

Description: 

Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], “An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships.”

Phase: Operation, Patching and Maintenance

Description: 

Continue to monitor changes in each of the product’s components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.

CVE References

  • CVE-2020-9054
    • Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are “end-of-support” and cannot be patched (CWE-1277). [REF-1097]