CWE-1059 Detail

CWE-1059

Name

Insufficient Technical Documentation

Status

Incomplete

Published

2019-01-03
00h00 +00:00

Modified

2024-02-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Insufficient Technical Documentation

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.

CWE Description

When technical documentation is limited or lacking, products are more difficult to maintain. This indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities.

When using time-limited or labor-limited third-party/in-house security consulting services (such as threat modeling, vulnerability discovery, or pentesting), insufficient documentation can force those consultants to invest unnecessary time in learning how the product is organized, instead of focusing their expertise on finding the flaws or suggesting effective mitigations.

With respect to hardware design, the lack of a formal, final manufacturer reference can make it difficult or impossible to evaluate the final product, including post-manufacture verification. One cannot ensure that design functionality or operation is within acceptable tolerances, conforms to specifications, and is free from unexpected behavior. Hardware-related documentation may include engineering artifacts such as hardware description language (HDLs), netlists, Gerber files, Bills of Materials, EDA (Electronic Design Automation) tool files, etc.

General Informations

Modes Of Introduction

Architecture and Design
Documentation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Operating Systems

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)
Class: ICS/OT (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Other	Varies by Context, Hide Activities, Reduce Reliability, Quality Degradation, Reduce Maintainability Note: Without a method of verification, one cannot be sure that everything only functions as expected.

Observed Examples

References	Description
CVE-2022-3203	A wireless access point manual specifies that the only method of configuration is via web interface (CWE-1059), but there is an undisclosed telnet server that was activated by default (CWE-912).

Potential Mitigations

Phases : Documentation // Architecture and Design
Ensure that design documentation is detailed enough to allow for post-manufacturing verification.

Vulnerability Mapping Notes

Justification : This entry is primarily a quality issue with no direct security implications.
Comment : Look for weaknesses that are focused specifically on insecure behaviors that have more direct security implications.

References

REF-1248

Categories of Security Vulnerabilities in ICS
Securing Energy Infrastructure Executive Task Force (SEI ETF).
https://inl.gov/wp-content/uploads/2022/03/SEI-ETF-NCSV-TPT-Categories-of-Security-Vulnerabilities-ICS-v1_03-09-22.pdf

REF-1254

Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff (DRAFT GUIDANCE)
FDA.
https://www.fda.gov/media/119933/download

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2018-07-02 +00:00	2019-01-03 +00:00	3.2

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2022-04-28 +00:00	updated Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-01-31 +00:00	updated Applicable_Platforms, Relationships
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2023-10-26 +00:00	updated Observed_Examples
CWE Content Team	MITRE	2024-02-29 +00:00	updated Mapping_Notes