CWE-1243: Sensitive Non-Volatile Information Not Protected During Debug

BaseIncomplete

Access to security-sensitive information stored in fuses is not limited during debug.

View on MITRE
Back to CWE Lookup

Extended Description

Several security-sensitive values are programmed into fuses to be used during early-boot flows or later at runtime. Examples of these security-sensitive values include root keys, encryption keys, manufacturing-specific information, chip-manufacturer-specific information, and original-equipment-manufacturer (OEM) data. After the chip is powered on, these values are sensed from fuses and stored in temporary locations such as registers and local memories. These locations are typically access-control protected from untrusted agents capable of accessing them. Even to trusted agents, only read-access is provided. However, these locations are not blocked during debug operations, allowing a user to access this sensitive information.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1243: Sensitive Non-Volatile Information Not Protected During Debug?+

CWE-1243: Sensitive Non-Volatile Information Not Protected During Debug is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Access to security-sensitive information stored in fuses is not limited during debug. Several security-sensitive values are programmed into fuses to be used during early-boot flows or later at runtime. Examples of these security-sensitive values include root keys, encryption keys, manufacturing-specific information, chip-manufacturer-specific information, and original-equipment-manufacturer (OEM) data. After the chip is powered on, these values are sensed from fuses and stored in temporary locations such as registers and local memories. These locations are typically access-control protected from untrusted agents capable of accessing them. Even to trusted agents, only read-access is provided. However, these locations are not blocked during debug operations, allowing a user to access this sensitive information.

What are the security consequences of Sensitive Non-Volatile Information Not Protected During Debug?+

If exploited, CWE-1243 (Sensitive Non-Volatile Information Not Protected During Debug) it can compromise Confidentiality and Access Control, leading to outcomes such as Modify Memory and Bypass Protection Mechanism.

How do you prevent or mitigate Sensitive Non-Volatile Information Not Protected During Debug?+

Recommended mitigations for CWE-1243 include: Disable access to security-sensitive information stored in fuses directly and also reflected from temporary storage locations when in debug mode.

Which programming languages are affected by Sensitive Non-Volatile Information Not Protected During Debug?+

CWE-1243 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1243 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More