CWE-1310: Missing Ability to Patch ROM Code

BaseDraft

Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.

View on MITRE
Back to CWE Lookup

Extended Description

A System or System-on-Chip (SoC) that implements a boot process utilizing security mechanisms such as Root-of-Trust (RoT) typically starts by executing code from a Read-only-Memory (ROM) component. The code in ROM is immutable, hence any security vulnerabilities discovered in the ROM code can never be fixed for the systems that are already in use. A common weakness is that the ROM does not have the ability to patch if security vulnerabilities are uncovered after the system gets shipped. This leaves the system in a vulnerable state where an adversary can compromise the SoC.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-1310

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references

CWE-1310: Missing Ability to Patch ROM Code | CWE Lookup | Inventive HQ