Szczegóły CWE-1304

CWE-1304

Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
Draft
2020-08-20
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Zarządzaj powiadomieniami

Nazwa: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.

Informacje ogólne

Sposoby wprowadzenia

Architecture and Design : Weakness introduced via missing internal integrity guarantees during power save/restore
Integration : Weakness introduced via missing external integrity verification during power save/restore

Odpowiednie platformy

Język

Class: Not Language-Specific (Undetermined)

Systemy operacyjne

Class: Not OS-Specific (Undetermined)

Architektury

Class: Not Architecture-Specific (Undetermined)

Technologie

Class: Not Technology-Specific (Undetermined)

Typowe konsekwencje

Zakres Wpływ Prawdopodobieństwo
Confidentiality
Integrity		DoS: Instability, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Other), Gain Privileges or Assume Identity, Bypass Protection Mechanism, Alter Execution Logic, Quality Degradation, Unexpected State, Reduce Maintainability, Reduce Performance, Reduce ReliabilityHigh

Potencjalne środki zaradcze

Phases : Architecture and Design
Inside the IP, incorporate integrity checking on the configuration state via a cryptographic hash. The hash can be protected inside the IP such as by storing it in internal registers which never lose power. Before powering down, the IP performs a hash of the configuration and saves it in these persistent registers. Upon restore, the IP performs a hash of the saved configuration and compares it with the saved hash. If they do not match, then the IP should not trust the configuration.
Phases : Integration
Outside the IP, incorporate integrity checking of the configuration state via a trusted agent. Before powering down, the trusted agent performs a hash of the configuration and saves the hash in persistent storage. Upon restore, the IP requests the trusted agent validate its current configuration. If the configuration hash is invalid, then the IP should not trust the configuration.
Phases : Integration
Outside the IP, incorporate a protected environment that prevents undetected modification of the configuration state by untrusted agents. Before powering down, a trusted agent saves the IP's configuration state in this protected location that only it is privileged to. Upon restore, the trusted agent loads the saved state into the IP.

Uwagi dotyczące mapowania podatności

Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Powiązane wzorce ataków

CAPEC-ID Nazwa wzorca ataku
CAPEC-176 Configuration/Environment Manipulation
An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

Zgłoszenie

Nazwa Organizacja Data Data wydania Version
Accellera Systems Initiative 2020-07-16 +00:00 2020-08-20 +00:00 4.2

Modyfikacje

Nazwa Organizacja Data Komentarz
CWE Content Team MITRE 2021-03-15 +00:00 updated Functional_Areas
CWE Content Team MITRE 2021-07-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
Informacje prezentowane na CVE Find pochodzą z kilku starannie wybranych źródeł referencyjnych. Dane CVE są dostarczane przez MITRE Corporation i Narodową Bazę Podatności (NVD). Katalog znanych eksploatowanych podatności (KEV) pochodzi z Agencji ds. Bezpieczeństwa Cyberprzestrzeni i Infrastruktury (CISA), natomiast wyniki EPSS pochodzą z FIRST.org. Ponadto dane dotyczące słabości oprogramowania (CWE) i typowych wzorców ataków (CAPEC) są utrzymywane przez MITRE Corporation, a informacje o konfiguracjach sprzętu i oprogramowania (CPE) są dostarczane przez NVD.