{"@ID": "1299", "@Name": "Missing Protection Mechanism for Alternate Hardware Interface", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The lack of protections on alternate paths to access\n                control-protected assets (such as unprotected shadow registers\n                and other external facing unguarded interfaces) allows an\n                attacker to bypass existing protections to the asset that are\n\t\tonly performed against the primary path.", "Extended_Description": {"xhtml:p": ["An asset inside a chip might have access-control\n                    protections through one interface. However, if all paths to\n                    the asset are not protected, an attacker might compromise\n                    the asset through alternate paths. These alternate paths\n                    could be through shadow or mirror registers inside the IP\n                    core, or could be paths from other external-facing\n                    interfaces to the IP core or SoC.", "Consider an SoC with various interfaces such as UART,\n                    SMBUS, PCIe, USB, etc. If access control is implemented for\n                    SoC internal registers only over the PCIe interface, then\n                    an attacker could still modify the SoC internal registers\n                    through alternate paths by coming through interfaces such\n                    as UART, SMBUS, USB, etc.", "Alternatively, attackers might be able to bypass\n                    existing protections by exploiting unprotected, shadow\n                    registers. Shadow registers and mirror registers typically\n                    refer to registers that can be accessed from multiple\n                    addresses. Writing to or reading from the aliased/mirrored\n                    address has the same effect as writing to the address of\n                    the main register. They are typically implemented within an\n                    IP core or SoC to temporarily hold certain data. These data\n                    will later be updated to the main register, and both\n                    registers will be in synch. If the shadow registers are not\n                    access-protected, attackers could simply initiate\n                    transactions to the shadow registers and compromise system\n                    security."]}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "PeerOf", "@CWE_ID": "1191", "@View_ID": "1194", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "420", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "288", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Name": "Microcontroller Hardware", "@Prevalence": "Undetermined"}, {"@Name": "Processor Hardware", "@Prevalence": "Undetermined"}, {"@Name": "Bus/Interface Hardware", "@Prevalence": "Undetermined"}, {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity", "Availability", "Access Control"], "Impact": ["Modify Memory", "Read Memory", "DoS: Resource Consumption (Other)", "Execute Unauthorized Code or Commands", "Gain Privileges or Assume Identity", "Alter Execution Logic", "Bypass Protection Mechanism", "Quality Degradation"], "Likelihood": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Requirements", "Description": "Protect assets from accesses against all potential interfaces and alternate paths.", "Effectiveness": "Defense in Depth"}, {"Phase": "Architecture and Design", "Description": "Protect assets from accesses against all potential interfaces and alternate paths.", "Effectiveness": "Defense in Depth"}, {"Phase": "Implementation", "Description": "Protect assets from accesses against all potential interfaces and alternate paths.", "Effectiveness": "Defense in Depth"}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-176", "Intro_Text": {"xhtml:p": ["Register SECURE_ME is located at address 0xF00. A\n                            mirror of this register called COPY_OF_SECURE_ME is\n                            at location 0x800F00. The register SECURE_ME is\n                            protected from malicious agents and only allows\n                            access to select, while COPY_OF_SECURE_ME is not.", "Access control is implemented using an allowlist (as\n                            indicated by acl_oh_allowlist). The identity of the\n                            initiator of the transaction is indicated by the\n                            one hot input, incoming_id. This is checked against\n                            the acl_oh_allowlist (which contains a list of\n                            initiators that are allowed to access the asset).", "Though this example is shown in Verilog, it will\n                            apply to VHDL as well."]}, "Example_Code": [{"@Nature": "Informative", "@Language": "Verilog", "xhtml:br": [null, null, null, null, null, null, null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "acl_oh_allowlist <= 32'h8312;"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "q <= 32'h0;\n                                    data_out <= 32'h0;"}, "#text": "begin\n                                \n                                end"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "q <= (addr_auth & write_auth) ? data_in: q;\n                                    data_out <= q;"}, "#text": "begin\n                                \n                                end"}], "#text": "if (!rst_n)\n                            \n                            else\n                            \n                            end"}], "#text": "module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n);\n                        output [31:0] data_out;\n                        input [31:0] data_in, incoming_id, address;\n                        input clk, rst_n;\n                        wire write_auth, addr_auth;\n                        reg [31:0] data_out, acl_oh_allowlist, q;\n                        assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; \n                        always @*\n                        \n                        assign addr_auth = (address == 32'hF00) ? 1: 0;\n                        always @ (posedge clk or negedge rst_n)\n                        \n                        endmodule"}, {"@Nature": "Bad", "@Language": "Verilog", "#text": "assign addr_auth = (address == 32'hF00) ? 1: 0;"}, {"@Nature": "Good", "@Language": "Verilog", "#text": "assign addr_auth = (address == 32'hF00 || address == 32'h800F00) ? 1: 0;"}], "Body_Text": "The bugged line of code is repeated in the Bad\n                        example above. The weakness arises from the fact that the\n                        SECURE_ME register can be modified by writing to the\n                        shadow register COPY_OF_SECURE_ME. The address of\n                        COPY_OF_SECURE_ME should also be included in the check.\n                        That buggy line of code should instead be replaced as\n                        shown in the Good Code Snippet below."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2022-38399", "Description": "Missing protection mechanism on serial connection allows for arbitrary OS command execution.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-38399"}, {"Reference": "CVE-2020-9285", "Description": "Mini-PCI Express slot does not restrict direct memory access.", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-9285"}, {"Reference": "CVE-2020-8004", "Description": "When the internal flash is protected by blocking access on the Data Bus (DBUS), it can still be indirectly accessed through the Instruction Bus (IBUS).", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-8004"}, {"Reference": "CVE-2017-18293", "Description": "When GPIO is protected by blocking access\n                        to corresponding GPIO resource registers,\n                        protection can be bypassed by writing to the\n                        corresponding banked GPIO registers instead.", "Link": "https://www.cve.org/CVERecord?id=CVE-2017-18293"}, {"Reference": "CVE-2020-15483", "Description": "monitor device allows access to physical UART debug port without authentication", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-15483"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "457"}, {"@CAPEC_ID": "554"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi", "Submission_Organization": "Intel Corporation", "Submission_Date": "2019-10-02", "Submission_Version": "4.2", "Submission_ReleaseDate": "2020-08-20"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Observed_Examples, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-06-28", "Modification_Version": "4.8", "Modification_ReleaseDate": "2022-06-28", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}]}}
