2021 CWE Most Important Hardware Weaknesses

Introduction:

The list of 2021 CWE Most Important Hardware Weaknesses is published by the MITRE Corporation in collaboration with DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

The composed list consists of most periodic and critical errors that can lead to major hardware vulnerabilities. It includes 12 entries with five additional weaknesses also released which are scored just outside the final list. 

These vulnerabilities can be found in hardware design, architecture and programming. With these weaknesses, a cyber attacker can exploit and take control of the affected system, access unauthorized sensitive information and also cause a denial of service condition.

Objective:

The list was released with the purpose of raising security awareness of common hardware weaknesses and preventing security issues at the source by guiding programmers and designers to implement these precautions in the product development lifecycle.

Cyber security professionals and test engineers can utilize the list in preparing test plans for security testing and evaluation.

Finally, managers and CIOs can use the list to calculate the progress in their attempts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate the vulnerabilities by removing the underlying root cause.

2021 CWE Most Important Hardware Weaknesses List:

Below is the detailed list of the weaknesses in the 2021 CWE Most Important Hardware Weaknesses listed in numerical order by CWE identifier.

1. CWE-1189 – Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
2. CWE-1191 – On-Chip Debug and Test Interface With Improper Access Control
3. CWE-1231 – Improper Prevention of Lock Bit Modification
4. CWE-1233 – Security-Sensitive Hardware Controls with Missing Lock Bit Protection
5. CWE-1240 – Use of a Cryptographic Primitive with a Risky Implementation
6. CWE-1244 – Internal Asset Exposed to Unsafe Debug Access Level or State
7. CWE-1256 – Improper Restriction of Software Interfaces to Hardware Features
8. CWE-1260 – Improper Handling of Overlap Between Protected Memory Ranges
9. CWE-1272 – Sensitive Information Uncleared Before Debug/Power State Transition
10. CWE-1274 – Improper Access Control for Volatile Memory Containing Boot Code
11. CWE-1277 – Firmware Not Updateable
12. CWE-1300 – Improper Protection of Physical Side Channels

Methodology used to Determine CWE Hardware Weaknesses 2021 List: 

The identification of a “Top-N” list of hardware was carried out by the Hardware CWE Special Interest Group (SIG), a community forum for researchers and representatives working in hardware manufacturing, designing and security domains from different organizations to share, interact their expertise and opinions.

Out of 96 hardware entries in the CWE corpus, SIG members selected each a prioritized set of 10 weaknesses and identified a total of 31 unique entries. Later, they determined that the ideal length for a published  “Top-N” list should be approximately ten percent of the total hardware CWE entries.

The CWE team collaborating with SIG members examined and applied the scoring method to the findings. This resulted in ranked order of the 31 selected entries and scored highest 12 and the highest 17 entries. The highest 12 becomes the 2021 CWE Most Important Hardware Weaknesses List and additional 5 entries as Hardware Weaknesses on the Cusp.

They also informed that future versions of the CWE Most Important Hardware Weaknesses would add more different weaknesses aiming to provide the most useful list possible for the community.

Detail Explanation of the 2021 CWE Most Important Hardware Weaknesses List: 

1)  CWE-1189 – Improper Isolation of Shared Resources on System-on-a-Chip (SoC):

The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.

2) CWE-1191 – On-Chip Debug and Test Interface With Improper Access Control:

The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.

3) CWE-1231 – Improper Prevention of Lock Bit Modification: 

The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.

4) CWE-1233 – Security-Sensitive Hardware Controls with Missing Lock Bit Protection:

The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.

5) CWE-1240 – Use of a Cryptographic Primitive with a Risky Implementation: 

To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.

6) CWE-1244 – Internal Asset Exposed to Unsafe Debug Access Level or State: 

The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.

7) CWE-1256 – Improper Restriction of Software Interfaces to Hardware Features:

The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.

8) CWE-1260 – Improper Handling of Overlap Between Protected Memory Ranges:

The product allows address regions to overlap, which can result in the bypassing of intended memory protection.

9) CWE-1272 – Sensitive Information Uncleared Before Debug/Power State Transition: 

The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.

10) CWE-1274 – Improper Access Control for Volatile Memory Containing Boot Code: 

The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.

11) CWE-1277 – Firmware Not Updateable: 

The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.

12) CWE-1300 – Improper Protection of Physical Side Channels:

The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.

Hardware Weaknesses on the Cusp: 

CWE also shared additional five other hardware weaknesses that just scored outside of the final list of 2021 CWE Most Important Hardware Weaknesses.

1. CWE-226 – Sensitive Information in Resource Not Removed Before Reuse
2. CWE-1247 – Improper Protection Against Voltage and Clock Glitches
3. CWE-1262 – Improper Access Control for Register Interface
4. CWE-1331 – Improper Isolation of Shared Resources in Network On Chip (NoC)
5. CWE-1332 – Improper Handling of Faults that Lead to Instruction Skips

Here is the report published on the official CWE website: 2021 CWE Most Important Hardware Weaknesses

Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.

• DefenseLead Official Twitter Page
• DefenseLead Official Facebook Page
• LinkedIn
• DefenseLead Contact Us
• DefenseLead RSS Feed