CWE-1282: Assumed-Immutable Data is Stored in Writable Memory

BaseIncomplete

Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.

View on MITRE
Back to CWE Lookup

Extended Description

Security services such as secure boot, authentication of code and data, and device attestation all require assets such as the first stage bootloader, public keys, golden hash digests, etc. which are implicitly trusted. Storing these assets in read-only memory (ROM), fuses, or one-time programmable (OTP) memory provides strong integrity guarantees and provides a root of trust for securing the rest of the system. Security is lost if assets assumed to be immutable can be modified.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1282: Assumed-Immutable Data is Stored in Writable Memory?+

CWE-1282: Assumed-Immutable Data is Stored in Writable Memory is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field. Security services such as secure boot, authentication of code and data, and device attestation all require assets such as the first stage bootloader, public keys, golden hash digests, etc. which are implicitly trusted. Storing these assets in read-only memory (ROM), fuses, or one-time programmable (OTP) memory provides strong integrity guarantees and provides a root of trust for securing the rest of the system. Security is lost if assets assumed to be immutable can be modified.

What are the security consequences of Assumed-Immutable Data is Stored in Writable Memory?+

If exploited, CWE-1282 (Assumed-Immutable Data is Stored in Writable Memory) it can compromise Integrity, leading to outcomes such as Varies by Context.

How do you prevent or mitigate Assumed-Immutable Data is Stored in Writable Memory?+

Recommended mitigations for CWE-1282 include: All immutable code or data should be programmed into ROM or write-once memory.

Which programming languages are affected by Assumed-Immutable Data is Stored in Writable Memory?+

CWE-1282 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1282 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More