CWE-1190
DMA Device Enabled Too Early in Boot Phase
Draft
2020-02-24
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: DMA Device Enabled Too Early in Boot Phase
The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.
CWE Description
DMA is included in a number of devices because it allows data transfer between the computer and the connected device, using direct hardware access to read or write directly to main memory without any OS interaction. An attacker could exploit this to access secrets. Several virtualization-based mitigations have been introduced to thwart DMA attacks. These are usually configured/setup during boot time. However, certain IPs that are powered up before boot is complete (known as early boot IPs) may be DMA capable. Such IPs, if not trusted, could launch DMA attacks and gain access to assets that should otherwise be protected.
General Informations
Modes Of Introduction
Architecture and DesignApplicable Platforms
Language
Class: Not Language-Specific (Undetermined)Technologies
Class: System on Chip (Undetermined)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Access Control | Bypass Protection Mechanism, Modify Memory Note: DMA devices have direct write access to main memory and due to time of attack will be able to bypass OS or Bootloader access control. | High |
Potential Mitigations
Phases : Architecture and DesignUtilize an IOMMU to orchestrate IO access from the start of the boot process.
Vulnerability Mapping Notes
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Related Attack Patterns
| CAPEC-ID | Attack Pattern Name |
|---|---|
| CAPEC-180 | Exploiting Incorrectly Configured Access Control Security Levels An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. |
References
REF-1038
DMA attackhttps://en.wikipedia.org/wiki/DMA_attack
REF-1039
Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy PeripheralsA. Theodore Markettos, Colin Rothwell, Brett F. Gutstein, Allison Pearce, Peter G. Neumann, Simon W. Moore, Robert N. M. Watson.
https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05A-1_Markettos_paper.pdf
REF-1040
FireWire all your memory are belong to usMaximillian Dornseif, Michael Becher, Christian N. Klein.
http://www.orkspace.net/secdocs/Conferences/CanSecWest/2005/0wn3d%20by%20an%20iPod%20-%20Firewire1394%20Issues.pdf
REF-1041
Integrating DMA attacks in exploitation frameworksRory Breuk, Albert Spruyt, Adam Boileau.
https://www.os3.nl/_media/2011-2012/courses/rp1/p14_report.pdf
REF-1042
Owned by an iPodMaximillian Dornseif.
https://web.archive.org/web/20060505224959/https://pacsec.jp/psj04/psj04-dornseif-e.ppt
REF-1044
My aimful lifeDmytro Oleksiuk.
http://blog.cr4.sh/2015/09/breaking-uefi-security-with-software.html
REF-1046
Hit by a Bus:Physical Access Attacks with FirewireA. Theodore Markettos, Adam Boileau.
https://security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf
Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi | Intel Corporation | 4.0 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.