Szczegóły CWE-1274

CWE-1274

Improper Access Control for Volatile Memory Containing Boot Code
Stable
2020-02-24
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Zarządzaj powiadomieniami

Nazwa: Improper Access Control for Volatile Memory Containing Boot Code

The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.

Informacje ogólne

Sposoby wprowadzenia

Architecture and Design : This weakness can be introduced during hardware architecture or design but can be identified later during testing.

Odpowiednie platformy

Język

Class: Not Language-Specific (Undetermined)

Systemy operacyjne

Class: Not OS-Specific (Undetermined)

Architektury

Class: Not Architecture-Specific (Undetermined)

Technologie

Class: Not Technology-Specific (Undetermined)

Typowe konsekwencje

Zakres Wpływ Prawdopodobieństwo
Access Control
Integrity		Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Note: If the volatile-memory-region protections or access controls are insufficient to prevent modifications from an adversary or untrusted agent, the secure boot may be bypassed or replaced with the execution of an adversary's code.		High

Zaobserwowane przykłady

Odniesienia Opis

CVE-2019-2267

Locked memory regions may be modified through other interfaces in a secure-boot-loader image due to improper access control.

Potencjalne środki zaradcze

Phases : Architecture and Design
Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code.
Phases : Testing
Test the volatile-memory protections to ensure they are safe from modification or untrusted code.

Metody wykrywania

Manual Analysis

Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.
Skuteczność : High

Manual Analysis

Skuteczność : Moderate

Uwagi dotyczące mapowania podatności

Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Powiązane wzorce ataków

CAPEC-ID Nazwa wzorca ataku
CAPEC-456 Infected Memory
An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain.
CAPEC-679 Exploitation of Improperly Configured or Implemented Memory Protections

Zgłoszenie

Nazwa Organizacja Data Data wydania Version
Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi Intel Corporation 2020-04-25 +00:00 2020-02-24 +00:00 4.1

Modyfikacje

Nazwa Organizacja Data Komentarz
CWE Content Team MITRE 2020-08-20 +00:00 updated Demonstrative_Examples, Description, Related_Attack_Patterns
CWE Content Team MITRE 2021-10-28 +00:00 updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, Relationships, Weakness_Ordinalities
CWE Content Team MITRE 2022-04-28 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-01-31 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Detection_Factors
CWE Content Team MITRE 2025-04-03 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2025-12-11 +00:00 updated Common_Consequences, Description
Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.