Detalle CWE-1314

CWE-1314

Missing Write Protection for Parametric Data Values
Draft
2020-12-10
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Missing Write Protection for Parametric Data Values

The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.

Informaciones generales

Modos de introducción

Architecture and Design : The lack of a requirement to protect parametric values may contribute to this weakness.
Implementation : The lack of parametric value protection may be a cause of this weakness.

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Sistemas operativos

Class: Not OS-Specific (Undetermined)

Arquitecturas

Class: Not Architecture-Specific (Undetermined)

Tecnologías

Name: Sensor Hardware (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
AvailabilityQuality Degradation, DoS: Resource Consumption (Other)

Note: Sensor value manipulation, particularly thermal or power, may allow physical damage to occur or disabling of the device by a false fault shutdown causing a Denial-Of-Service.		High

Ejemplos observados

Referencias Descripción

CVE-2017-8252

Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice and Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking.

Mitigaciones potenciales

Phases : Architecture and Design
Access controls for sensor blocks should ensure that only trusted software is allowed to change threshold limits and sensor parametric data.

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

Referencias

REF-1082

CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management
Adrian Tang, Simha Sethumadhavan, Salvatore Stolfo.
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
Hareesh Khattri, Parbati K. Manna, and Arun Kanuparthi Intel Corporation 2020-07-14 +00:00 2020-12-10 +00:00 4.3

Modificaciones

Nombre Organización Fecha Comentario
CWE Content Team MITRE 2022-04-28 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2022-06-28 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.