BaseIncomplete

CWE-1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors

Category: other

Description

The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.

Common consequences· 1

  • Confidentiality / Integrity / Access Control / Authentication / Authorization / Availability / Accountability / Non-Repudiation — Gain Privileges or Assume Identity, Bypass Protection Mechanism, Execute Unauthorized Code or Commands, Modify Memory, Modify Files or Directories
    The impact depends on the confidential information itself and who is inadvertently granted access. For example, if the confidential information is a key that can unlock all the parts of a generation, the impact could be severe.

Potential mitigations· 1

  • [Architecture and Design]

Related CAPEC attack patterns· 2

CAPEC-1CAPEC-180

References

  1. https://cwe.mitre.org/data/definitions/1297.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternExploiting Incorrectly Configured Access Control Security Levelscapec-180100%live
AttackPatternAccessing Functionality Not Properly Constrained by ACLscapec-1100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Improper Access Control for Volatile Memory Containing Boot Code
CWE
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
CWE
Improper Restriction of Software Interfaces to Hardware Features
CWE
On-Chip Debug and Test Interface With Improper Access Control
CWE
Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
CWE
Improper Access Control for Register Interface
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.