CWE-1247: Improper Protection Against Voltage and Clock Glitches

BaseStable

The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.

View on MITRE
Back to CWE Lookup

Extended Description

A device might support features such as secure boot which are supplemented with hardware and firmware support. This involves establishing a chain of trust, starting with an immutable root of trust by checking the signature of the next stage (culminating with the OS and runtime software) against a golden value before transferring control. The intermediate stages typically set up the system in a secure state by configuring several access control settings. Similarly, security logic for exercising a debug or testing interface may be implemented in hardware, firmware, or both. A device needs to guard against fault attacks such as voltage glitches and clock glitches that an attacker may employ in an attempt to compromise the system.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1247: Improper Protection Against Voltage and Clock Glitches?+

CWE-1247: Improper Protection Against Voltage and Clock Glitches is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device. A device might support features such as secure boot which are supplemented with hardware and firmware support. This involves establishing a chain of trust, starting with an immutable root of trust by checking the signature of the next stage (culminating with the OS and runtime software) against a golden value before transferring control. The intermediate stages typically set up the system in a secure state by configuring several access control settings. Similarly, security logic for exercising a debug or testing interface may be implemented in hardware, firmware, or both. A device needs to guard against fault attacks such as voltage glitches and clock glitches that an attacker may employ in an attempt to compromise the system.

What are the security consequences of Improper Protection Against Voltage and Clock Glitches?+

If exploited, CWE-1247 (Improper Protection Against Voltage and Clock Glitches) it can compromise Confidentiality, Integrity, Availability and Access Control, leading to outcomes such as Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Memory, Modify Memory and Execute Unauthorized Code or Commands.

How do you prevent or mitigate Improper Protection Against Voltage and Clock Glitches?+

Recommended mitigations for CWE-1247 include: At the circuit-level, using Tunable Replica Circuits (TRCs) or special flip-flops such as Razor flip-flops helps mitigate glitch attacks. Working at the SoC or platform base, level sensors may be implemented to detect glitches. Implementing redundancy in security-sensitive code (e.g., where checks are performed)also can help with mitigation of glitch attacks.

How is Improper Protection Against Voltage and Clock Glitches detected?+

CWE-1247 can be detected using Manual Analysis, Dynamic Analysis with Manual Results Interpretation and Architecture or Design Review. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Improper Protection Against Voltage and Clock Glitches?+

CWE-1247 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Protection Against Voltage and Clock Glitches?+

MITRE documents real CVEs mapped to CWE-1247, including CVE-2019-17391 and CVE-2021-33478. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1247 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More