Détail du CWE-1282

CWE-1282

Assumed-Immutable Data is Stored in Writable Memory
Incomplete
2020-02-24
00h00 +00:00
2023-06-29
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Assumed-Immutable Data is Stored in Writable Memory

Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.

Description du CWE

Security services such as secure boot, authentication of code and data, and device attestation all require assets such as the first stage bootloader, public keys, golden hash digests, etc. which are implicitly trusted. Storing these assets in read-only memory (ROM), fuses, or one-time programmable (OTP) memory provides strong integrity guarantees and provides a root of trust for securing the rest of the system. Security is lost if assets assumed to be immutable can be modified.

Informations générales

Modes d'introduction

Implementation : Keys, code, configuration settings, and other data should be programmed in write-once or read-only memory instead of writable memory.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Systèmes d’exploitation

Class: Not OS-Specific (Undetermined)

Architectures

Class: Not Architecture-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)

Conséquences courantes

Portée Impact Probabilité
IntegrityVaries by Context

Mesures d’atténuation potentielles

Phases : Implementation
All immutable code or data should be programmed into ROM or write-once memory.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Modèles d'attaque associés

CAPEC-ID Nom du modèle d'attaque
CAPEC-458 Flash Memory Attacks
An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device.
CAPEC-679 Exploitation of Improperly Configured or Implemented Memory Protections

An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.

NotesNotes

This entry is still under development and will continue to see updates and content improvements.
As of CWE 4.3, CWE-1282 and CWE-1233 are being investigated for potential duplication or overlap.

Soumission

Nom Organisation Date Date de publication Version
Nicole Fern Cycuity (originally submitted as Tortuga Logic) 2020-05-15 +00:00 2020-02-24 +00:00 4.1

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2020-08-20 +00:00 updated Demonstrative_Examples, Description, Modes_of_Introduction, Name
CWE Content Team MITRE 2021-03-15 +00:00 updated Maintenance_Notes
CWE Content Team MITRE 2021-07-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2022-04-28 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-01-31 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes