CWE-1314 Detalhe

CWE-1314

Missing Write Protection for Parametric Data Values
Draft
2020-12-10
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Missing Write Protection for Parametric Data Values

The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.

Informações Gerais

Modos de Introdução

Architecture and Design : The lack of a requirement to protect parametric values may contribute to this weakness.
Implementation : The lack of parametric value protection may be a cause of this weakness.

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Sistemas Operacionais

Class: Not OS-Specific (Undetermined)

Arquiteturas

Class: Not Architecture-Specific (Undetermined)

Tecnologias

Name: Sensor Hardware (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
AvailabilityQuality Degradation, DoS: Resource Consumption (Other)

Note: Sensor value manipulation, particularly thermal or power, may allow physical damage to occur or disabling of the device by a false fault shutdown causing a Denial-Of-Service.		High

Exemplos Observados

Referências Descrição

CVE-2017-8252

Kernel can inject faults in computations during the execution of TrustZone leading to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice and Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking.

Mitigações Potenciais

Phases : Architecture and Design
Access controls for sensor blocks should ensure that only trusted software is allowed to change threshold limits and sensor parametric data.

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Padrões de Ataque Relacionados

CAPEC-ID Nome do Padrão de Ataque
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

Referências

REF-1082

CLKSCREW: Exposing the Perils of Security-Oblivious Energy Management
Adrian Tang, Simha Sethumadhavan, Salvatore Stolfo.
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf

Submissão

Nome Organização Data Data de lançamento Version
Hareesh Khattri, Parbati K. Manna, and Arun Kanuparthi Intel Corporation 2020-07-14 +00:00 2020-12-10 +00:00 4.3

Modificações

Nome Organização Data Comentário
CWE Content Team MITRE 2022-04-28 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2022-06-28 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Weakness_Ordinalities
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.