Tag Archives: Unprotected Confidential Information on Device is Accessible by OSAT Vendors

CWE-1297 – Unprotected Confidential Information on Device is Accessible by OSAT Vendors

Read Time:34 Second

Description

The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-285

 

Consequences

Confidentiality, Integrity, Access Control, Authentication, Authorization, Availability, Accountability, Non-Repudiation: Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands, Modify Memory, Modify Files or Directories

The impact depends on the confidential information itself and who is inadvertently granted access. For example, if the confidential information is a key that can unlock all the parts of a generation, the impact could be severe.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness: Moderate

Description: 

CVE References