Category: ICS Supply Chain: Common Mode Frailties
Incomplete
Summary
Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1357 | Reliance on Insufficiently Trustworthy Component | This weakness occurs when a system integrates a component that cannot be fully trusted to meet security, reliability, and maintenance standards, creating risk for the entire product. |
| CWE-329 | Generation of Predictable IV with CBC Mode | This vulnerability occurs when software uses a predictable or reused Initialization Vector (IV) with Cipher Block Chaining (CBC) mode encryption. Predictable IVs undermine the security of CBC, making encrypted data vulnerable to dictionary and chosen-plaintext attacks, especially when the same key is used multiple times. |
| CWE-664 | Improper Control of a Resource Through its Lifetime | This vulnerability occurs when software fails to properly manage a resource throughout its entire lifecycle—from creation and active use to its final release or destruction. |
| CWE-693 | Protection Mechanism Failure | This weakness occurs when software either lacks a necessary security control, implements one that is too weak, or fails to activate an existing control in a critical area, leaving it vulnerable to targeted attacks. |
| CWE-707 | Improper Neutralization | This vulnerability occurs when an application fails to properly validate or sanitize structured data before it's received from an external source or sent to another component. This allows malformed messages to be processed, which can lead to misinterpretation and security breaches. |
| CWE-710 | Improper Adherence to Coding Standards | This weakness occurs when developers don't consistently follow established coding standards and best practices, which can introduce security flaws or make existing vulnerabilities more severe. |
| CWE-1358 | Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.