Improper Protection for Outbound Error Messages and Alert Signals

Draft Base

Structure: Simple

Description

This vulnerability occurs when hardware alert systems for critical conditions, like overheating or power surges, lack proper security. Untrusted software or agents can disable these warnings or trigger false alarms, preventing the system from taking protective actions.

Extended Description

Hardware devices use sensors to monitor safe operating limits, such as temperature or voltage. These thresholds are typically set by trusted firmware (like BIOS) or hardware fuses. When a sensor detects a dangerous out-of-bounds condition, it should generate a secure alert signal that triggers a protective response—like throttling performance or shutting down to prevent damage. If these alert signals are not properly secured, malicious or untrusted software can interfere. Attackers can mask genuine alerts to let the hardware operate unsafely, or generate false alarms to cause performance degradation or a denial-of-service (DoS). This is commonly seen with thermal and power sensors, where compromised alerts can lead to hardware failure or reduced system availability.

Common Consequences 1

Scope: Availability

Impact: DoS: InstabilityDoS: Crash, Exit, or RestartReduce ReliabilityUnexpected State

Potential Mitigations 1

Phase: Architecture and Design

Alert signals generated by critical events should be protected from access by untrusted agents. Only hardware or trusted firmware modules should be able to alter the alert configuration.

Demonstrative Examples 1

Consider a platform design where a Digital-Thermal Sensor (DTS) is used to monitor temperature and compare that output against a threshold value. If the temperature output equals or exceeds the threshold value, the DTS unit sends an alert signal to the processor. The processor, upon getting the alert, input triggers system shutdown. The alert signal is handled as a General-Purpose-I/O (GPIO) pin in input mode.

Code Example:

Bad

Other

The processor-GPIO controller exposes software-programmable controls that allow untrusted software to reprogram the state of the GPIO pin.

Reprogramming the state of the GPIO pin allows malicious software to trigger spurious alerts or to set the alert pin to a zero value so that thermal sensor alerts are not received by the processor.

Code Example:

Good

Other

The GPIO alert-signal pin is blocked from untrusted software access and is controlled only by trusted software, such as the System BIOS.

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

System on Chip : UndeterminedMicrocontroller Hardware : UndeterminedMemory Hardware : UndeterminedPower Management Hardware : UndeterminedProcessor Hardware : UndeterminedTest/Debug Hardware : UndeterminedSensor Hardware : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Attack Patterns

Related Weaknesses

ChildOf:

Improper Access Control (CWE-284)