Debug Messages Revealing Unnecessary Information

Incomplete Base

Structure: Simple

Description

The product's debug messages or logs expose excessive internal system details, potentially revealing sensitive information that could aid an attacker.

Extended Description

Debug messages are essential for developers to diagnose issues by showing the system's internal state, such as memory dumps, boot logs, or low-level hardware data exposed through interfaces like UART or scan chains. While more detailed logs make troubleshooting easier, they also risk exposing information that could help an attacker identify vulnerabilities or understand the system's architecture. Relying solely on hiding information (security through obscurity) is not a safe strategy, but it can be a useful layer within a broader defense-in-depth approach. Unnecessary details in debug output lower this protective layer, making it easier for attackers to piece together an attack even when other security controls are in place.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailabilityAccess ControlAccountabilityAuthenticationAuthorizationNon-Repudiation

Impact: Read MemoryBypass Protection MechanismGain Privileges or Assume IdentityVaries by Context

Potential Mitigations 1

Phase: Implementation

Ensure that a debug message does not reveal any unnecessary information during the debug process for the intended response.

Demonstrative Examples 1

This example here shows how an attacker can take advantage of unnecessary information in debug messages.

Example 1: Suppose in response to a Test Access Port (TAP) chaining request the debug message also reveals the current TAP hierarchy (the full topology) in addition to the success/failure message.

Example 2: In response to a password-filling request, the debug message, instead of a simple Granted/Denied response, prints an elaborate message, "The user-entered password does not match the actual password stored in <directory name>."

The result of the above examples is that the user is able to gather additional unauthorized information about the system from the debug messages.

The solution is to ensure that Debug messages do not reveal additional details.

Observed Examples 3

CVE-2021-25476Digital Rights Management (DRM) capability for mobile platform leaks pointer information, simplifying ASLR bypass

CVE-2020-24491Processor generates debug message that contains sensitive information ("addresses of memory transactions").

CVE-2017-18326modem debug messages include cryptographic keys

References 1

Android Security Bulletin - December 2018

https://source.android.com/docs/security/bulletin/2018-12-01(2025-08-04)

ID: REF-1112

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Not Technology-Specific : Undetermined

Modes of Introduction

Implementation

Related Attack Patterns

121
Stack-based Buffer Overflow

Related Weaknesses

ChildOf:

Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

PeerOf:

Generation of Error Message Containing Sensitive Information (CWE-209)