Category: ICS Supply Chain: OT Counterfeit and Malicious Corruption
Incomplete
Summary
Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1231 | Improper Prevention of Lock Bit Modification | This vulnerability occurs when hardware or firmware uses a lock bit to protect critical system registers or memory regions, but fails to properly prevent that lock bit from being changed after it has been enabled. This design flaw allows attackers to bypass hardware-enforced security restrictions. |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | This vulnerability occurs when a hardware device uses a lock bit to protect critical configuration registers, but the lock fails to prevent writes to all registers that can alter the protected system settings. Essentially, the security mechanism is incomplete, allowing software to bypass it and modify sensitive hardware configurations. |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | This vulnerability occurs when hardware lacks safeguards against physical inspection, allowing attackers to extract sensitive data by capturing and analyzing high-resolution images of the integrated circuit's internal structure. |
| CWE-284 | Improper Access Control | The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it. |
| CWE-1358 | Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CWE-1198 | Privilege Separation and Access Control Issues | Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.