Category: ICS Supply Chain: Poorly Documented or Undocumented Features
Incomplete
Summary
Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1059 | Insufficient Technical Documentation | This weakness occurs when a software or hardware product lacks comprehensive technical documentation. Missing or incomplete details about the system's architecture, interfaces, design, configuration, or operation make it difficult to understand, maintain, and secure the product effectively. |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | This vulnerability occurs when a hardware device or chip includes undocumented configuration bits (often called 'chicken bits') or hidden features that can disable security controls or enable privileged functions. |
| CWE-489 | Active Debug Code | This vulnerability occurs when software is deployed to production with debugging or diagnostic features still enabled and accessible. |
| CWE-912 | Hidden Functionality | Hidden functionality refers to undocumented features, commands, or code within a product that are not part of its official specification and are not obvious to users or administrators. |
| CWE-1358 | Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.