CWE-1384 Class Incomplete

Improper Handling of Physical or Environmental Conditions

This weakness occurs when a hardware device fails to manage unexpected physical or environmental situations, whether they happen naturally or are deliberately caused by an attacker. These conditions…

Definition

What is CWE-1384?

This weakness occurs when a hardware device fails to manage unexpected physical or environmental situations, whether they happen naturally or are deliberately caused by an attacker. These conditions can force the hardware into an insecure state.
Hardware is designed to operate reliably within specific physical and environmental limits. When it encounters conditions outside this range—like extreme temperatures, power spikes, or electromagnetic interference—its behavior can become unpredictable and insecure. An attacker can artificially create these conditions to induce faults, such as flipping a critical bit used for authentication or bypassing a security check. Common threats include extreme temperatures, electromagnetic interference (EMI), unexpected light sources (lasers, UV), power anomalies (over/under-voltage), clock manipulation (glitching), component aging, and exposure to radiation. Since hardware often can't control its external environment, developers must design systems to either withstand these stresses or fail securely without compromising security controls.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-1384

  • CVE-2019-17391

    Lack of anti-glitch protections allows an attacker to launch a physical attack to bypass the secure boot and read protected eFuses.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    Identifiziere einen Codepfad, der nicht vertrauenswürdige Eingaben ohne Validierung verarbeitet.

  2. 2

    Erzeuge eine Payload, die das unsichere Verhalten auslöst — Injection, Traversal, Overflow oder Logik-Missbrauch.

  3. 3

    Liefere die Payload über einen normalen Request aus und beobachte die Reaktion der Anwendung.

  4. 4

    Iteriere, bis die Antwort Daten preisgibt, Angreifer-Code ausführt oder Berechtigungen eskaliert.

Verwundbares Codebeispiel

Vulnerable pseudo

MITRE hat kein Codebeispiel für diese CWE veröffentlicht. Das untenstehende Muster ist illustrativ — kanonische Referenzen findest du unter Ressourcen.

Verwundbar pseudo 
// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
  // Untrusted input flows directly into the sensitive sink.
  return executeUnsafe(input);
}
Sicheres Codebeispiel

Secure pseudo

Sicher pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-1384

  • Requirements In requirements, be specific about expectations for how the product will perform when it exceeds physical and environmental boundary conditions, e.g., by shutting down.
  • Architecture and Design / Implementation Where possible, include independent components that can detect excess environmental conditions and have the capability to shut down the product.
  • Architecture and Design / Implementation Where possible, use shielding or other materials that can increase the adversary's workload and reduce the likelihood of being able to successfully trigger a security-related failure.
Erkennungssignale

How to detect CWE-1384

SAST High

Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.

DAST Moderate

Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.

Runtime Moderate

Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.

Code review Moderate

Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.

Plexicus Auto-Fix

Plexicus erkennt CWE-1384 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-1384?

This weakness occurs when a hardware device fails to manage unexpected physical or environmental situations, whether they happen naturally or are deliberately caused by an attacker. These conditions can force the hardware into an insecure state.

Wie gravierend ist CWE-1384?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-1384 betroffen?

MITRE lists the following affected platforms: System on Chip, ICS/OT.

Wie kann ich CWE-1384 verhindern?

In requirements, be specific about expectations for how the product will perform when it exceeds physical and environmental boundary conditions, e.g., by shutting down. Where possible, include independent components that can detect excess environmental conditions and have the capability to shut down the product.

Wie erkennt und behebt Plexicus CWE-1384?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1384 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-1384?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1384.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-1384

CWE-703 Parent

Improper Check or Handling of Exceptional Conditions

This vulnerability occurs when software fails to properly plan for or manage rare but possible error scenarios, leaving it unprepared for…

CWE-228 Sibling

Improper Handling of Syntactically Invalid Structure

This vulnerability occurs when software fails to properly reject or process input that doesn't follow the expected format or structure,…

CWE-248 Sibling

Uncaught Exception

This vulnerability occurs when a function throws an error or exception, but the calling code does not have a proper handler to catch and…

CWE-391 Sibling

Unchecked Error Condition

This vulnerability occurs when a program fails to properly check or handle error conditions, such as exceptions or return codes. By…

CWE-392 Sibling

Missing Report of Error Condition

This vulnerability occurs when a system fails to properly signal that an error has happened. Instead of returning a clear error code,…

CWE-393 Sibling

Return of Wrong Status Code

This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an…

CWE-397 Sibling

Declaration of Throws for Generic Exception

This vulnerability occurs when a method is declared to throw an overly broad exception type, such as a generic 'Exception' or 'Throwable'.…

CWE-754 Sibling

Improper Check for Unusual or Exceptional Conditions

This weakness occurs when software fails to properly anticipate and handle rare or unexpected runtime situations that fall outside normal…

CWE-755 Sibling

Improper Handling of Exceptional Conditions

This vulnerability occurs when software fails to properly manage unexpected situations or errors, leaving it in an unstable or insecure…

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen