CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device

BaseIncomplete

The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.

View on MITRE
Back to CWE Lookup

Extended Description

When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device?+

CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect. When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.

What are the security consequences of Improper Scrubbing of Sensitive Data from Decommissioned Device?+

If exploited, CWE-1266 (Improper Scrubbing of Sensitive Data from Decommissioned Device) it can compromise Confidentiality, leading to outcomes such as Read Memory.

How do you prevent or mitigate Improper Scrubbing of Sensitive Data from Decommissioned Device?+

Recommended mitigations for CWE-1266 include: Functionality to completely scrub data from a product at the conclusion of its lifecycle should be part of the design phase. Trying to add this function on top of an existing architecture could lead to incomplete removal of sensitive information/data. The manufacturer should describe the location(s) where sensitive data is stored and the policies and procedures for its removal. This information may be conveyed, for example, in an Administrators Guide or a Statement of Volatility. If the capability to wipe sensitive data isn't built-in, the manufacturer may need to provide a utility to scrub sensitive data from storage if that data is located in a place which is non-accessible by the administrator. One example of this could be when sensitive data is stored on an EEPROM for which there is no user/admin interface provided by the system.

Which programming languages are affected by Improper Scrubbing of Sensitive Data from Decommissioned Device?+

CWE-1266 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1266 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device | CWE Lookup | InventiveHQ