CWE-1191: On-Chip Debug and Test Interface With Improper Access Control

BaseStable

The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.

View on MITRE
Back to CWE Lookup

Extended Description

A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present. If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface. Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1191: On-Chip Debug and Test Interface With Improper Access Control?+

CWE-1191: On-Chip Debug and Test Interface With Improper Access Control is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface. A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present. If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface. Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker.

What are the security consequences of On-Chip Debug and Test Interface With Improper Access Control?+

If exploited, CWE-1191 (On-Chip Debug and Test Interface With Improper Access Control) it can compromise Confidentiality, Authorization, Integrity and Access Control, leading to outcomes such as Read Application Data, Read Memory, Execute Unauthorized Code or Commands, Modify Memory, Modify Application Data and Bypass Protection Mechanism.

How do you prevent or mitigate On-Chip Debug and Test Interface With Improper Access Control?+

Recommended mitigations for CWE-1191 include: If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.

How is On-Chip Debug and Test Interface With Improper Access Control detected?+

CWE-1191 can be detected using Dynamic Analysis with Manual Results Interpretation and Fuzzing. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by On-Chip Debug and Test Interface With Improper Access Control?+

CWE-1191 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of On-Chip Debug and Test Interface With Improper Access Control?+

MITRE documents real CVEs mapped to CWE-1191, including CVE-2019-18827. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1191 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More