CWE-1254: Incorrect Comparison Logic Granularity
The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.
View on MITREExtended Description
Comparison logic is used to compare a variety of objects including passwords, Message Authentication Codes (MACs), and responses to verification challenges. When comparison logic is implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a comparison failure, an attacker can exploit this implementation to identify when exactly the failure occurred. With multiple attempts, the attacker may be able to guesses the correct password/response to challenge and elevate their privileges.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (3)
Smartphone OS uses comparison functions that are not in constant time, allowing side channels
View DetailsJava-oriented framework compares HMAC signatures using String.equals() instead of a constant-time algorithm, causing timing discrepancies
View DetailsPassword-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-1254: Incorrect Comparison Logic Granularity?+
CWE-1254: Incorrect Comparison Logic Granularity is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes. Comparison logic is used to compare a variety of objects including passwords, Message Authentication Codes (MACs), and responses to verification challenges. When comparison logic is implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a comparison failure, an attacker can exploit this implementation to identify when exactly the failure occurred. With multiple attempts, the attacker may be able to guesses the correct password/response to challenge and elevate their privileges.
What are the security consequences of Incorrect Comparison Logic Granularity?+
If exploited, CWE-1254 (Incorrect Comparison Logic Granularity) it can compromise Confidentiality and Authorization, leading to outcomes such as Bypass Protection Mechanism.
How do you prevent or mitigate Incorrect Comparison Logic Granularity?+
Recommended mitigations for CWE-1254 include: The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.
Which programming languages are affected by Incorrect Comparison Logic Granularity?+
CWE-1254 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Incorrect Comparison Logic Granularity?+
MITRE documents real CVEs mapped to CWE-1254, including CVE-2019-10482, CVE-2019-10071 and CVE-2014-0984. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-1254 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.