View: Weaknesses in the 2021 CWE Most Important Hardware Weaknesses List
Stable
Type: Explicit
Objective
CWE entries in this view are listed in the 2021 CWE Most Important Hardware Weaknesses List, as determined by the Hardware CWE Special Interest Group (HW CWE SIG).
Audience
| Type | Description |
|---|---|
| Hardware Designers | By following this list, hardware designers and implementers are able to significantly reduce the number of weaknesses that occur in their products. |
| Product Customers | Customers can use the weaknesses in this view in order to formulate independent evidence of a claim by a product vendor to have eliminated / mitigated the most dangerous weaknesses. |
| Educators | Educators can use this view to focus curriculum on the most important hardware weaknesses. |
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) | The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents. |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. |
| CWE-1231 | Improper Prevention of Lock Bit Modification | The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set. |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration. |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. |
| CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents. |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels. |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | The product allows address regions to overlap, which can result in the bypassing of intended memory protection. |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions. |
| CWE-1274 | Improper Access Control for Volatile Memory Containing Boot Code | The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory. |
| CWE-1277 | Firmware Not Updateable | The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present. |
| CWE-1300 | Improper Protection of Physical Side Channels | The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions. |
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.