CWE-1280 Base Incomplet

Access Control Check Implemented After Asset is Accessed

This vulnerability occurs when a hardware-based security check runs after the protected resource has already been accessed, creating a dangerous timing window.

Définition

What is CWE-1280?

This vulnerability occurs when a hardware-based security check runs after the protected resource has already been accessed, creating a dangerous timing window.
In secure systems, hardware-based access control (like memory or I/O protection) must be verified before any access is granted. This flaw breaks that fundamental rule by allowing the asset to be accessed first, with the permission check happening as a separate, non-atomic step. This creates a critical race condition where an attacker can exploit the gap between access and authorization. For developers, this means the security check is effectively bypassed because the system acts first and asks for permission later. To fix this, the access control verification must be made atomic with the access operation itself, ensuring the check is an inseparable gatekeeper that always completes successfully before any data or hardware resource is exposed.
Impact réel

Real-world CVEs caused by CWE-1280

Aucune référence CVE publique n'est liée à ce CWE dans le catalogue MITRE pour le moment.

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    Assume that the module foo_bar implements a protected register. The register content is the asset. Only transactions made by user id (indicated by signal usr_id) 0x4 are allowed to modify the register contents. The signal grant_access is used to provide access.

  2. 2

    This code uses Verilog blocking assignments for data_out and grant_access. Therefore, these assignments happen sequentially (i.e., data_out is updated to new value first, and grant_access is updated the next cycle) and not in parallel. Therefore, the asset data_out is allowed to be modified even before the access control check is complete and grant_access signal is set. Since grant_access does not have a reset value, it will be meta-stable and will randomly go to either 0 or 1.

  3. 3

    Flipping the order of the assignment of data_out and grant_access should solve the problem. The correct snippet of code is shown below.

Exemple de code vulnérable

Vulnerable Verilog

Assume that the module foo_bar implements a protected register. The register content is the asset. Only transactions made by user id (indicated by signal usr_id) 0x4 are allowed to modify the register contents. The signal grant_access is used to provide access.

Vulnérable Verilog 
module foo_bar(data_out, usr_id, data_in, clk, rst_n);
 output reg [7:0] data_out;
 input wire [2:0] usr_id;
 input wire [7:0] data_in; 
 input wire clk, rst_n;
 wire grant_access;
 always @ (posedge clk or negedge rst_n)
 begin

```
   if (!rst_n)
  	 data_out = 0; 
   else 
  	 data_out = (grant_access) ? data_in : data_out;
  	 assign grant_access = (usr_id == 3'h4) ? 1'b1 : 1'b0;
 end
 endmodule
Exemple de code sécurisé

Secure Verilog

Flipping the order of the assignment of data_out and grant_access should solve the problem. The correct snippet of code is shown below.

Sécurisé Verilog 
always @ (posedge clk or negedge rst_n)
 begin

```
   if (!rst_n)
  	 data_out = 0;
   else
  	 assign grant_access = (usr_id == 3'h4) ? 1'b1 : 1'b0;
  	 data_out = (grant_access) ? data_in : data_out;
 end
 endmodule
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-1280

  • Implementation Implement the access control check first. Access should only be given to asset if agent is authorized.
Signaux de détection

How to detect CWE-1280

SAST High

Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.

DAST Moderate

Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.

Runtime Moderate

Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.

Code review Moderate

Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-1280 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-1280 ?

This vulnerability occurs when a hardware-based security check runs after the protected resource has already been accessed, creating a dangerous timing window.

Quelle est la gravité de CWE-1280 ?

MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.

Quels langages ou plateformes sont affectés par CWE-1280 ?

MITRE lists the following affected platforms: Verilog, VHDL, Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.

Comment puis-je prévenir CWE-1280 ?

Implement the access control check first. Access should only be given to asset if agent is authorized.

Comment Plexicus détecte et corrige CWE-1280 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-1280 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-1280 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/1280.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-1280

CWE-696 Parent

Incorrect Behavior Order

This weakness occurs when a system executes multiple dependent actions in the wrong sequence, leading to unexpected and potentially…

CWE-1190 Frère

DMA Device Enabled Too Early in Boot Phase

This vulnerability occurs when a device with Direct Memory Access (DMA) capability is activated before the system's security settings are…

CWE-1193 Frère

Power-On of Untrusted Execution Core Before Enabling Fabric Access Control

This vulnerability occurs when a system powers up hardware components containing untrusted firmware before establishing critical security…

CWE-1279 Frère

Cryptographic Operations are run Before Supporting Units are Ready

This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to…

CWE-179 Frère

Incorrect Behavior Order: Early Validation

This vulnerability occurs when an application validates user input before applying security filters or data normalization. Attackers can…

CWE-408 Frère

Incorrect Behavior Order: Early Amplification

This vulnerability occurs when a system allows a user to trigger a resource-intensive operation before verifying their identity or…

CWE-551 Frère

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

This vulnerability occurs when a web server checks access permissions before fully processing and normalizing a URL, potentially allowing…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo