View: Weaknesses Addressed by ISA/IEC 62443 Requirements
Draft
Type: Implicit
Objective
This view (slice) covers weaknesses that are addressed by following requirements in the ISA/IEC 62443 series of standards for industrial automation and control systems (IACS). Members of the CWE ICS/OT SIG analyzed a set of CWEs and mapped them to specific requirements covered by ISA/IEC 62443. These mappings are recorded in Taxonomy_Mapping elements.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1059 | Insufficient Technical Documentation | The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc. |
| CWE-122 | Heap-based Buffer Overflow | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | The device includes chicken bits or undocumented features that can create entry points for unauthorized actors. |
| CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories | The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories. |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability. |
| CWE-1391 | Use of Weak Credentials | The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. |
| CWE-1395 | Dependency on Vulnerable Third-Party Component | The product has a dependency on a third-party component that contains one or more known vulnerabilities. |
| CWE-190 | Integer Overflow or Wraparound | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-250 | Execution with Unnecessary Privileges | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
| CWE-256 | Plaintext Storage of a Password | The product stores a password in plaintext within resources such as memory or files. |
| CWE-269 | Improper Privilege Management | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-276 | Incorrect Default Permissions | During installation, installed file permissions are set to allow anyone to modify those files. |
| CWE-287 | Improper Authentication | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-306 | Missing Authentication for Critical Function | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-311 | Missing Encryption of Sensitive Data | The product does not encrypt sensitive or critical information before storage or transmission. |
| CWE-312 | Cleartext Storage of Sensitive Information | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-319 | Cleartext Transmission of Sensitive Information | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CWE-321 | Use of Hard-coded Cryptographic Key | The product uses a hard-coded, unchangeable cryptographic key. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-346 | Origin Validation Error | The product does not properly verify that the source of data or communication is valid. |
| CWE-347 | Improper Verification of Cryptographic Signature | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-353 | Missing Support for Integrity Check | The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum. |
| CWE-354 | Improper Validation of Integrity Check Value | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
| CWE-400 | Uncontrolled Resource Consumption | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-416 | Use After Free | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
| CWE-655 | Insufficient Psychological Acceptability | The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. |
| CWE-657 | Violation of Secure Design Principles | The product violates well-established principles for secure design. |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
| CWE-770 | Allocation of Resources Without Limits or Throttling | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-771 | Missing Reference to Active Allocated Resource | The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. |
| CWE-779 | Logging of Excessive Data | The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack. |
| CWE-787 | Out-of-bounds Write | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-798 | Use of Hard-coded Credentials | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-862 | Missing Authorization | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | Incorrect Authorization | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-920 | Improper Restriction of Power Consumption | The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes. |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.