Modes Of Introduction
Architecture and Design : Such issues can be introduced during hardware architecture or design and can be identified later during Testing or System Configuration phases.
Implementation : If the access-controls which protecting the reporting registers are misconfigured during implementation, this weakness can arise.
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Operating Systems
Class: Not OS-Specific (Undetermined)
Architectures
Class: Not Architecture-Specific (Undetermined)
Technologies
Class: Not Technology-Specific (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Confidentiality | Read Memory, Read Application Data | |
Potential Mitigations
Phases : Architecture and Design
Measurement data should be stored in registers that are read-only or otherwise have access controls that prevent modification by an untrusted agent.
Vulnerability Mapping Notes
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Related Attack Patterns
CAPEC-ID |
Attack Pattern Name |
CAPEC-680 |
Exploitation of Improperly Controlled Registers
An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.
|
NotesNotes
This entry is still in development and will continue to see updates and content improvements.
References
REF-1107
PCIe Device Measurement Requirements
Intel Corporation.
https://www.intel.com/content/dam/www/public/us/en/documents/reference-guides/pcie-device-security-enhancements.pdf REF-1131
BIOS Chronomancy: Fixing the Core Root of Trust for Measurement
John Butterworth, Cory Kallenberg, Xeno Kovah.
https://media.blackhat.com/us-13/US-13-Butterworth-BIOS-Security-Slides.pdf
Submission
Name |
Organization |
Date |
Date release |
Version |
Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi |
Intel Corporation |
2020-04-25 +00:00 |
2020-02-24 +00:00 |
4.1 |
Modifications
Name |
Organization |
Date |
Comment |
CWE Content Team |
MITRE |
2020-08-20 +00:00 |
updated References, Related_Attack_Patterns |
CWE Content Team |
MITRE |
2022-04-28 +00:00 |
updated Related_Attack_Patterns |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |