Check 2 devices for their passcode to authenticate access to JTAG/debugging ports. If the passcodes are missing or the same, update the design to fix and retest. Check communications over JTAG/debugging ports for encryption. If the communications are not encrypted, fix the design and retest.
CWE-1244 Base Stable
Internal Asset Exposed to Unsafe Debug Access Level or State
This vulnerability occurs when a system's debug or test interface supports multiple access levels, but an internal asset is incorrectly assigned a permissive debug access level. This mistake allows…
Definition
What is CWE-1244?
This vulnerability occurs when a system's debug or test interface supports multiple access levels, but an internal asset is incorrectly assigned a permissive debug access level. This mistake allows untrusted debug agents to access sensitive internal assets they should not be able to reach.
Modern debug and test interfaces often implement tiered access control, where different internal components become accessible based on the currently authorized debug level or the system's operational state. This authorization isn't just about passwords; it can also depend on the boot stage or system mode. For instance, full debug access might only be permitted immediately after a reset to prevent leakage of data from a previous session.
If this protection fails and an internal asset is exposed at an unsafe debug level during a specific state or boot phase, an attacker with debugger access can exploit this to read sensitive information. The core failure is the system's inability to correctly map and enforce the appropriate debug access level for each asset as the system state changes, creating a window of unintended exposure.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-1244
-
After ROM code execution, JTAG access is disabled. But before the ROM code is executed, JTAG access is possible, allowing a user full system access. This allows a user to modify the boot flow and successfully bypass the secure-boot process.
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
The JTAG interface is used to perform debugging and provide CPU core access for developers. JTAG-access protection is implemented as part of the JTAG_SHIELD bit in the hw_digctl_ctrl register. This register has no default value at power up and is set only after the system boots from ROM and control is transferred to the user software.
- 2
This means that since the end user has access to JTAG at system reset and during ROM code execution before control is transferred to user software, a JTAG user can modify the boot flow and subsequently disclose all CPU information, including data-encryption keys.
- 3
The example code below is taken from the CVA6 processor core of the HACK@DAC'21 buggy OpenPiton SoC. Debug access allows users to access internal hardware registers that are otherwise not exposed for user access or restricted access through access control protocols. Hence, requests to enter debug mode are checked and authorized only if the processor has sufficient privileges. In addition, debug accesses are also locked behind password checkers. Thus, the processor enters debug mode only when the privilege level requirement is met, and the correct debug password is provided.
- 4
The following code [REF-1377] illustrates an instance of a vulnerable implementation of debug mode. The core correctly checks if the debug requests have sufficient privileges and enables the debug_mode_d and debug_mode_q signals. It also correctly checks for debug password and enables umode_i signal.
- 5
However, it grants debug access and changes the privilege level, priv_lvl_o, even when one of the two checks is satisfied and the other is not. Because of this, debug access can be granted by simply requesting with sufficient privileges (i.e., debug_mode_q is enabled) and failing the password check (i.e., umode_i is disabled). This allows an attacker to bypass the debug password checking and gain debug access to the core, compromising the security of the processor.
Verwundbares Codebeispiel
Vulnerable Other
The JTAG interface is used to perform debugging and provide CPU core access for developers. JTAG-access protection is implemented as part of the JTAG_SHIELD bit in the hw_digctl_ctrl register. This register has no default value at power up and is set only after the system boots from ROM and control is transferred to the user software.
| |
|
| 1 bit | 0x0 = JTAG debugger is enabled (default) |
| JTAG_SHIELD | 0x1 = JTAG debugger is disabled | Sicheres Codebeispiel
Secure Verilog
A fix to this issue is to only change the privilege level of the processor when both checks are satisfied, i.e., the request has enough privileges (i.e., debug_mode_q is enabled) and the password checking is successful (i.e., umode_i is enabled) [REF-1378].
module csr_regfile #(
...
```
// check that we actually want to enter debug depending on the privilege level we are currently in
unique case (priv_lvl_o)
riscv::PRIV_LVL_M: begin
debug_mode_d = dcsr_q.ebreakm;
...
riscv::PRIV_LVL_U: begin
debug_mode_d = dcsr_q.ebreaku;
...
assign priv_lvl_o =
```
(debug_mode_q && umode_i) ? riscv::PRIV_LVL_M : priv_lvl_q;**
...
```
debug_mode_q <= debug_mode_d;
... What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-1244
- Architecture and Design / Implementation For security-sensitive assets accessible over debug/test interfaces, only allow trusted agents.
- Architecture and Design Apply blinding [REF-1219] or masking techniques in strategic areas.
- Implementation Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces.
Erkennungssignale
How to detect CWE-1244
Plexicus erkennt CWE-1244 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-1244?
Wie gravierend ist CWE-1244?
Welche Sprachen oder Plattformen sind von CWE-1244 betroffen?
Wie kann ich CWE-1244 verhindern?
Wie erkennt und behebt Plexicus CWE-1244?
Wo erfahre ich mehr über CWE-1244?
Frequently asked questions
Was ist CWE-1244?
This vulnerability occurs when a system's debug or test interface supports multiple access levels, but an internal asset is incorrectly assigned a permissive debug access level. This mistake allows untrusted debug agents to access sensitive internal assets they should not be able to reach.
Wie gravierend ist CWE-1244?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-1244 betroffen?
MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, System on Chip.
Wie kann ich CWE-1244 verhindern?
For security-sensitive assets accessible over debug/test interfaces, only allow trusted agents. Apply blinding [REF-1219] or masking techniques in strategic areas.
Wie erkennt und behebt Plexicus CWE-1244?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1244 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-1244?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1244.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-1244
CWE-863 Parent
Incorrect Authorization
This vulnerability occurs when an application checks if a user is allowed to perform an action or access data, but the check is flawed or…
CWE-551 Sibling
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
This vulnerability occurs when a web server checks access permissions before fully processing and normalizing a URL, potentially allowing…
CWE-639 Sibling
Authorization Bypass Through User-Controlled Key
This vulnerability occurs when an application's authorization system fails to verify that a user is allowed to access specific data before…
CWE-647 Sibling
Use of Non-Canonical URL Paths for Authorization Decisions
This vulnerability occurs when an application's authorization logic relies on specific URL paths but fails to enforce a single,…
CWE-804 Sibling
Guessable CAPTCHA
This vulnerability occurs when a CAPTCHA challenge is too easy for automated bots to solve, either by guessing or using pattern…
CWE-942 Sibling
Permissive Cross-domain Security Policy with Untrusted Domains
This vulnerability occurs when a web application's cross-domain security policy, like a Content Security Policy (CSP), explicitly allows…
Ressourcen
Further reading
- MITRE — offizielle CWE-1244 https://cwe.mitre.org/data/definitions/1244.html
- Multiple Vulnerabilities in Barco Clickshare: JTAG access is not permanently disabled https://labs.withsecure.com/advisories/multiple-vulnerabilities-in-barco-clickshare
- Attacks and Defenses for JTAG https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5406671
- Blindsight: Blinding EM Side-Channel Leakage using Built-In Fully Integrated Inductive Voltage Regulator https://arxiv.org/pdf/1802.09096
- csr_regile.sv line 938 https://github.com/HACK-EVENT/hackatdac19/blob/57e7b2109c1ea2451914878df2e6ca740c2dcf34/src/csr_regfile.sv#L938
- Fix for csr_regfile.sv line 938 https://github.com/HACK-EVENT/hackatdac19/blob/a7b61209e56c48eec585eeedea8413997ec71e4a/src/csr_regfile.sv#L938C31-L938C56
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.