CWE-1191 Base Estável

On-Chip Debug and Test Interface With Improper Access Control

This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify…

Definição

What is CWE-1191?

This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify sensitive internal registers and bypass the chip's built-in security protections.
Chips often include a debug interface, such as JTAG, which creates a serial scan chain to access internal registers for testing and debugging. Since this interface can expose almost all data on the device, manufacturers must implement strong authentication and authorization. If these controls are missing or flawed, attackers can use the exposed interface to circumvent on-chip security measures and extract sensitive information. Sometimes, designers hide debug pins within the board layers to compensate for the lack of proper chip-level authorization. This is a physical security workaround, not a fix. If an attacker physically accesses these hidden pins, the chip's internals become completely exposed. Managing hardware-level vulnerabilities like this across a complex software supply chain is challenging; an ASPM platform like Plexicus can help correlate these underlying hardware risks with your application's security posture, providing a unified view for remediation.
Impacto no mundo real

Real-world CVEs caused by CWE-1191

  • CVE-2019-18827

    chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys

Como os atacantes a exploram

Trajeto do atacante passo a passo

  1. 1

    A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.

  2. 2

    JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product.

  3. 3

    The following example code is a snippet from the JTAG wrapper module in the RISC-V debug module of the HACK@DAC'21 Openpiton SoC [REF-1355]. To make sure that the JTAG is accessed securely, the developers have included a primary authentication mechanism based on a password.

  4. 4

    The developers employed a Finite State Machine (FSM) to implement this authentication. When a user intends to read from or write to the JTAG module, they must input a password.

  5. 5

    In the subsequent state of the FSM module, the entered password undergoes Hash-based Message Authentication Code (HMAC) calculation using an internal HMAC submodule. Once the HMAC for the entered password is computed by the HMAC submodule, the FSM transitions to the next state, where it compares the computed HMAC with the expected HMAC for the password.

Exemplo de código vulnerável

Vulnerable Other

A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.

Vulnerável Other 
If the JTAG interface on this device is not hidden by the manufacturer, the interface may be identified using tools such as JTAGulator. If it is hidden but not disabled, it can be exposed by physically wiring to the board.


By issuing a "halt" command before the OS starts, the unauthorized user pauses the watchdog timer and prevents the router from restarting (once the watchdog timer would have expired). Having paused the router, an unauthorized user is able to execute code and inspect and modify data in the device, even extracting all of the router's firmware. This allows the user to examine the router and potentially exploit it.
Exemplo de código seguro

Secure Other

JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product.

Seguro Other 
In order to prevent exposing the debugging interface, manufacturers might try to obfuscate the JTAG interface or blow device internal fuses to disable the JTAG interface. Adding authentication and authorization to this interface makes use by unauthorized individuals much more difficult.
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção

How to prevent CWE-1191

  • Architecture and Design If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.
Sinais de deteção

How to detect CWE-1191

Dynamic Analysis with Manual Results Interpretation

Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification ("Security by obscurity") should not be considered as sufficient security.

Dynamic Analysis with Manual Results Interpretation

Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.

Fuzzing Moderate

Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.

Correção automática do Plexicus

O Plexicus deteta automaticamente o CWE-1191 e abre um PR de correção em menos de 60 segundos.

O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.

Obter uma demonstração Experimente o Plexicus gratuitamente
Perguntas frequentes

Frequently asked questions

O que é o CWE-1191?

This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify sensitive internal registers and bypass the chip's built-in security protections.

Qual a gravidade do CWE-1191?

A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.

Que linguagens ou plataformas são afetadas pelo CWE-1191?

MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.

Como posso prevenir o CWE-1191?

If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.

Como é que o Plexicus deteta e corrige o CWE-1191?

O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-1191 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.

Onde posso saber mais sobre o CWE-1191?

A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/1191.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.

Fraquezas relacionadas

Weaknesses related to CWE-1191

CWE-284 Pai

Improper Access Control

The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it.

CWE-1220 Irmão

Insufficient Granularity of Access Control

This vulnerability occurs when a system's access controls are too broad, allowing unauthorized users or processes to read or modify…

CWE-1224 Irmão

Improper Restriction of Write-Once Bit Fields

This vulnerability occurs when hardware write-once protection mechanisms, often called 'sticky bits,' are incorrectly implemented,…

CWE-1231 Irmão

Improper Prevention of Lock Bit Modification

This vulnerability occurs when hardware or firmware uses a lock bit to protect critical system registers or memory regions, but fails to…

CWE-1233 Irmão

Security-Sensitive Hardware Controls with Missing Lock Bit Protection

This vulnerability occurs when a hardware device uses a lock bit to protect critical configuration registers, but the lock fails to…

CWE-1252 Irmão

CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

This vulnerability occurs when a CPU's hardware is not set up to enforce a strict separation between writing data to memory and executing…

CWE-1257 Irmão

Improper Access Control Applied to Mirrored or Aliased Memory Regions

This vulnerability occurs when a hardware design maps the same physical memory to multiple addresses (aliasing or mirroring) but fails to…

CWE-1259 Irmão

Improper Restriction of Security Token Assignment

This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly secure its Security Token mechanism. These tokens control which…

CWE-1260 Irmão

Improper Handling of Overlap Between Protected Memory Ranges

This vulnerability occurs when a system incorrectly allows different memory protection ranges to overlap. This flaw can let attackers…

Recursos

Further reading

Pronto quando você estiver

Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.

O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.

Começar grátis Reservar uma demo