CWE-1273 Base Incomplet

Device Unlock Credential Sharing

This vulnerability occurs when the secret keys or passwords required to unlock a device's hidden features are shared between multiple organizations, creating a chain of trust where sensitive access…

Définition

What is CWE-1273?

Device unlocking typically activates hidden debug or manufacturer modes, such as the ability to dump full system memory or bypass hardware protections. These powerful features are locked in production and require special credentials to access, often needed by different companies in the supply chain for testing and troubleshooting. The security risk escalates when these unlock credentials must be shared between separate entities like the chip designer, the manufacturer (foundry), and assembly testers. Each company may have vastly different security policies and levels of secrecy, turning a single secret into multiple points of potential exposure and significantly increasing the chance of a damaging credential leak.

Impact réel

Real-world CVEs caused by CWE-1273

Aucune référence CVE publique n'est liée à ce CWE dans le catalogue MITRE pour le moment.

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

1
Identifier un chemin de code qui traite des entrées non fiables sans validation.
2
Élaborer une charge utile qui exploite le comportement non sécurisé — injection, traversal, débordement ou abus de logique.
3
Délivrer la charge utile via une requête normale et observer la réaction de l'application.
4
Itérer jusqu'à ce que la réponse divulgue des données, exécute le code de l'attaquant ou élève les privilèges.

Exemple de code vulnérable

Vulnerable Other

This example shows how an attacker can take advantage of compromised credentials.

Vulnérable Other

Suppose a semiconductor chipmaker, "C", uses the foundry "F" for fabricating its chips. Now, F has many other customers in addition to C, and some of the other customers are much smaller companies. F has dedicated teams for each of its customers, but somehow it mixes up the unlock credentials and sends the unlock credentials of C to the wrong team. This other team does not take adequate precautions to protect the credentials that have nothing to do with them, and eventually the unlock credentials of C get leaked.

Exemple de code sécurisé

Secure Other

When the credentials of multiple organizations are stored together, exposure to third parties occurs frequently.

Sécurisé Other

Vertical integration of a production company is one effective method of protecting sensitive credentials. Where vertical integration is not possible, strict access control and need-to-know are methods which can be implemented to reduce these risks.

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Liste de contrôle de prévention

How to prevent CWE-1273

Integration Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific.
Manufacturing Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific.

Signaux de détection

How to detect CWE-1273

SAST High

Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.

DAST Moderate

Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.

Runtime Moderate

Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.

Code review Moderate

Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-1273 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement

Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-1273 ?

Quelle est la gravité de CWE-1273 ?

MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.

Quels langages ou plateformes sont affectés par CWE-1273 ?

MITRE lists the following affected platforms: VHDL, Verilog, Compiled, Not OS-Specific, Not Architecture-Specific, Other, Not Technology-Specific.

Comment puis-je prévenir CWE-1273 ?

Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific. Ensure the unlock credentials are shared with the minimum number of parties and with utmost secrecy. To limit the risk associated with compromised credentials, where possible, the credentials should be part-specific.

Comment Plexicus détecte et corrige CWE-1273 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-1273 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-1273 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/1273.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-1273

CWE-200 Parent

Exposure of Sensitive Information to an Unauthorized Actor

This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it.

CWE-1258 Frère

Exposure of Sensitive System Information Due to Uncleared Debug Information

This vulnerability occurs when hardware fails to erase sensitive data like cryptographic keys and intermediate values before entering…

CWE-1295 Frère

Debug Messages Revealing Unnecessary Information

The product's debug messages or logs expose excessive internal system details, potentially revealing sensitive information that could aid…

CWE-1431 Frère

Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

This vulnerability occurs when a hardware cryptographic module leaks sensitive internal data through its output channels. Instead of only…

CWE-201 Frère

Insertion of Sensitive Information Into Sent Data

This vulnerability occurs when an application sends data to an external party, but accidentally includes sensitive information—like…

CWE-203 Frère

Observable Discrepancy

This vulnerability occurs when an application responds differently to unauthorized users based on internal conditions. Attackers can…

CWE-209 Frère

Generation of Error Message Containing Sensitive Information

This vulnerability occurs when an application reveals sensitive details about its internal systems, user data, or environment within error…

CWE-213 Frère

Exposure of Sensitive Information Due to Incompatible Policies

This vulnerability occurs when a system's data handling aligns with the developer's security rules but accidentally reveals information…

CWE-215 Frère

Insertion of Sensitive Information Into Debugging Code

This vulnerability occurs when developers embed sensitive data, such as passwords or API keys, within debugging statements like logs or…

Ressources

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo