Tag Archives: CVE-2019-18827

CWE-362 – Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

Read Time:4 Minute, 3 Second

Description

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

When a race condition makes it possible to bypass a resource cleanup routine or trigger multiple initialization routines, it may lead to resource exhaustion (CWE-400).

Availability: DoS: Crash, Exit, or Restart, DoS: Instability

When a race condition allows multiple control flows to access a resource simultaneously, it might lead the program(s) into unexpected states, possibly resulting in a crash.

Confidentiality, Integrity: Read Files or Directories, Read Application Data

When a race condition is combined with predictable resource names and loose permissions, it may be possible for an attacker to overwrite or access confidential data (CWE-59).

 

Potential Mitigations

Phase: Architecture and Design

Description: 

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Phase: Architecture and Design

Description: 

Use thread-safe capabilities such as the data access abstraction in Spring.

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

When using multithreading and operating on shared variables, only use thread-safe functions.

Phase: Implementation

Description: 

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as “x++”. This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Phase: Implementation

Description: 

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Phase: Implementation

Description: 

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Phase: Implementation

Description: 

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Phase: Implementation

Description: 

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Phase: Architecture and Design, Operation

Description: 

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CVE References

  • CVE-2019-18827
    • chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys
  • CVE-2014-8273
    • Chain: chipset has a race condition (CWE-362) between when an interrupt handler detects an attempt to write-enable the BIOS (in violation of the lock bit), and when the handler resets the write-enable bit back to 0, allowing attackers to issue BIOS writes during the timing window [REF-1237].
  • CVE-2008-5044
    • Race condition leading to a crash by calling a hook removal procedure while other activities are occurring at the same time.
  • CVE-2008-2958
    • chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
  • CVE-2008-1570
    • chain: time-of-check time-of-use (TOCTOU) race condition in program allows bypass of protection mechanism that was designed to prevent symlink attacks.
  • CVE-2008-0058
    • Unsynchronized caching operation enables a race condition that causes messages to be sent to a deallocated object.
  • CVE-2008-0379
    • Race condition during initialization triggers a buffer overflow.
  • CVE-2007-6599
    • Daemon crash by quickly performing operations and undoing them, which eventually leads to an operation that does not acquire a lock.
  • CVE-2007-6180
    • chain: race condition triggers NULL pointer dereference
  • CVE-2007-5794
    • Race condition in library function could cause data to be sent to the wrong process.
  • CVE-2007-3970
    • Race condition in file parser leads to heap corruption.
  • CVE-2008-5021
    • chain: race condition allows attacker to access an object while it is still being initialized, causing software to access uninitialized memory.
  • CVE-2009-4895
    • chain: race condition for an argument value, possibly resulting in NULL dereference
  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
  • CVE-2006-5051
    • Chain: Signal handler contains too much functionality (CWE-828), introducing a race condition (CWE-362) that leads to a double free (CWE-415).

CWE-1244 – Internal Asset Exposed to Unsafe Debug Access Level or State

Read Time:50 Second

Description

The product uses physical debug or test
interfaces with support for multiple access levels, but it
assigns the wrong debug access level to an internal asset,
providing unintended access to the asset from untrusted debug
agents.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-863

 

Consequences

Confidentiality: Read Memory

Integrity: Modify Memory

Authorization, Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Effectiveness: High

Description: 

Phase: Architecture and Design

Effectiveness: Limited

Description: 

Apply blinding [REF-1219] or masking techniques in strategic areas.

Phase: Implementation

Effectiveness: Limited

Description: 

Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces.

CVE References

  • CVE-2019-18827
    • After ROM code execution, JTAG access is disabled. But before the ROM code is executed, JTAG access is possible, allowing a user full system access. This allows a user to modify the boot flow and successfully bypass the secure-boot process.

CWE-1191 – On-Chip Debug and Test Interface With Improper Access Control

Read Time:46 Second

Description

The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-284

 

Consequences

Confidentiality: Read Application Data

Confidentiality: Read Memory

Authorization: Execute Unauthorized Code or Commands

Integrity: Modify Memory

Integrity: Modify Application Data

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: High

Description: 

If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.

CVE References

  • CVE-2019-18827
    • chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys