CWE-1310
Missing Ability to Patch ROM Code
Draft
2020-12-10
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Nazwa: Missing Ability to Patch ROM Code
Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.
Informacje ogólne
Sposoby wprowadzenia
Architecture and Design : This issue could be introduced during hardware architecture and design and can be identified later during Testing.Implementation : This issue could be introduced during implementation and can be identified later during Testing.
Integration : This issue could be introduced during integration and can be identified later during Testing.
Manufacturing : This issue could be introduced during manufacturing and can be identified later during Testing.
Odpowiednie platformy
Język
Class: Not Language-Specific (Undetermined)Systemy operacyjne
Class: Not OS-Specific (Undetermined)Architektury
Class: Not Architecture-Specific (Undetermined)Technologie
Class: System on Chip (Undetermined)Typowe konsekwencje
| Zakres | Wpływ | Prawdopodobieństwo |
|---|---|---|
| Other | Varies by Context, Reduce Maintainability Note: When the system is unable to be patched, it can be left in a vulnerable state. | High |
Potencjalne środki zaradcze
Phases : Architecture and Design // ImplementationSecure patch support to allow ROM code to be patched on the next boot.
Phases : Architecture and Design // Implementation
Support patches that can be programmed in-field or during manufacturing through hardware fuses. This feature can be used for limited patching of devices after shipping, or for the next batch of silicon devices manufactured, without changing the full device ROM.
Uwagi dotyczące mapowania podatności
Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Powiązane wzorce ataków
| CAPEC-ID | Nazwa wzorca ataku |
|---|---|
| CAPEC-682 | Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities
An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software. |
Odniesienia
REF-1396
riscv_peripherals.sv line 534https://github.com/HACK-EVENT/hackatdac21/blob/75e5c0700b5a02e744f006fe8a09ff3c2ccdd32d/piton/design/chip/tile/ariane/openpiton/riscv_peripherals.sv#L534
REF-1397
Fix for riscv_peripherals.sv line 534https://github.com/HACK-EVENT/hackatdac21/blob/cwe_1310_riscv_peripheral/piton/design/chip/tile/ariane/openpiton/riscv_peripherals.sv#L534
Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania | Version |
|---|---|---|---|---|
| Narasimha Kumar V Mangipudi | Intel Corporation | 4.3 |
Modyfikacje
| Nazwa | Organizacja | Data | Komentarz |
|---|---|---|---|
| CWE Content Team | MITRE | updated Maintenance_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Maintenance_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated References, Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, References | |
| CWE Content Team | MITRE | updated Weakness_Ordinalities |
