CWE-1299

Name

Missing Protection Mechanism for Alternate Hardware Interface

Status

Draft

Veröffentlicht

2020-08-20
00h00 +00:00

Geändert

2025-12-11
00h00 +00:00

Offizielle Links

CWE Mitre.org

Benachrichtigungen für ein CWE

Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.

Benachrichtigungen verwalten

Benutzerdefinierte Benachrichtigungen

Aktivieren Sie Ihre personalisierten Benachrichtigungen!

Um Ihre Benachrichtigungen zu aktivieren, müssen Sie lediglich in Ihrem kostenlosen Konto angemeldet sein. Falls Sie noch nicht angemeldet sind, wählen Sie eine der folgenden Optionen.

In Ihr Konto einloggen Kostenloses Konto erstellen

Benachrichtigungen für ein CWE

Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.

Parameter

Sie können einen Titel angeben, der in den gesendeten Benachrichtigungen erscheint.

Geben Sie die CWE-ID an, die Sie überwachen möchten.

Planung

Monat

Berechnung des nächsten Ausführungstermins

Tag

Wochentag

Stunde

Minute

Erstellungsdatum

Letzte Ausführung

Nächste Ausführung

Name: Missing Protection Mechanism for Alternate Hardware Interface

The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.

Allgemeine Informationen

Einführungsmodi

Architecture and Design
Implementation

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Betriebssysteme

Class: Not OS-Specific (Undetermined)

Architekturen

Class: Not Architecture-Specific (Undetermined)

Technologien

Name: Microcontroller Hardware (Undetermined)
Name: Processor Hardware (Undetermined)
Name: Bus/Interface Hardware (Undetermined)
Class: Not Technology-Specific (Undetermined)

Häufige Konsequenzen

Bereich	Auswirkung	Wahrscheinlichkeit
Confidentiality Integrity Availability Access Control	Modify Memory, Read Memory, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Alter Execution Logic, Bypass Protection Mechanism, Quality Degradation	High

Beobachtete Beispiele

Referenzen	Beschreibung
CVE-2022-38399	Missing protection mechanism on serial connection allows for arbitrary OS command execution.
CVE-2020-9285	Mini-PCI Express slot does not restrict direct memory access.
CVE-2020-8004	When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).
CVE-2017-18293	When GPIO is protected by blocking access to corresponding GPIO resource registers, protection can be bypassed by writing to the corresponding banked GPIO registers instead.
CVE-2020-15483	monitor device allows access to physical UART debug port without authentication

Mögliche Gegenmaßnahmen

Phases : Requirements
Protect assets from accesses against all potential interfaces and alternate paths.
Phases : Architecture and Design
Protect assets from accesses against all potential interfaces and alternate paths.
Phases : Implementation
Protect assets from accesses against all potential interfaces and alternate paths.

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Verwandte Angriffsmuster

CAPEC-ID	Name des Angriffsmusters
CAPEC-457	USB Memory Attacks An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.
CAPEC-554	Functionality Bypass An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary.

Einreichung

Name	Organisation	Datum	Veröffentlichungsdatum	Version
Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi	Intel Corporation	2019-10-02 +00:00	2020-08-20 +00:00	4.2

Änderungen

Name	Organisation	Datum	Kommentar
CWE Content Team	MITRE	2020-12-10 +00:00	updated Relationships
CWE Content Team	MITRE	2021-07-20 +00:00	updated Observed_Examples, Related_Attack_Patterns
CWE Content Team	MITRE	2022-04-28 +00:00	updated Applicable_Platforms, Common_Consequences, Related_Attack_Patterns
CWE Content Team	MITRE	2022-06-28 +00:00	updated Applicable_Platforms
CWE Content Team	MITRE	2023-01-31 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2023-10-26 +00:00	updated Demonstrative_Examples, Observed_Examples
CWE Content Team	MITRE	2024-02-29 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2025-12-11 +00:00	updated Weakness_Ordinalities

CWE-1299 Details