CWE-1276
Hardware Child Block Incorrectly Connected to Parent System
Incomplete
2020-02-24
00h00 +00:00
00h00 +00:00
2023-10-26
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Hardware Child Block Incorrectly Connected to Parent System
Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.
Description du CWE
Individual hardware IP must communicate with the parent system in order for the product to function correctly and as intended. If implemented incorrectly, while not causing any apparent functional issues, may cause security issues. For example, if the IP should only be reset by a system-wide hard reset, but instead the reset input is connected to a software-triggered debug mode reset (which is also asserted during a hard reset), integrity of data inside the IP can be violated.
Informations générales
Modes d'introduction
Implementation : This weakness is introduced when integrating IP into a parent design.Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Systèmes d’exploitation
Class: Not OS-Specific (Undetermined)Architectures
Class: Not Architecture-Specific (Undetermined)Technologies
Class: Not Technology-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality Integrity Availability | Varies by Context |
Mesures d’atténuation potentielles
Phases : TestingSystem-level verification may be used to ensure that components are correctly connected and that design security requirements are not violated due to interactions between various IP blocks.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-1362
ariane.svhttps://github.com/HACK-EVENT/hackatdac21/blob/b9ecdf6068445d76d6bee692d163fededf7a9d9b/piton/design/chip/tile/ariane/src/ariane.sv#L539:L540
REF-1363
Fix CWE-1276https://github.com/HACK-EVENT/hackatdac21/blob/9a796ee83e21f59476d4b0a68ec3d8e8d5148214/piton/design/chip/tile/ariane/src/ariane.sv#L539:L540
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| Nicole Fern | Cycuity (originally submitted as Tortuga Logic) | 4.1 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, References |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.