CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution

BaseIncomplete

A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.

View on MITRE
Back to CWE Lookup

Extended Description

Many commodity processors have Instruction Set Architecture (ISA) features that protect software components from one another. These features can include memory segmentation, virtual memory, privilege rings, trusted execution environments, and virtual machines, among others. For example, virtual memory provides each process with its own address space, which prevents processes from accessing each other's private data. Many of these features can be used to form hardware-enforced security boundaries between software components. Many commodity processors also share microarchitectural resources that cache (temporarily store) data, which may be confidential. These resources may be shared across processor contexts, including across SMT threads, privilege rings, or others. When transient operations allow access to ISA-protected data in a shared microarchitectural resource, this might violate users' expectations of the ISA feature that is bypassed. For example, if transient operations can access a victim's private data in a shared microarchitectural resource, then the operations' microarchitectural side effects may correspond to the accessed data. If an attacker can trigger these transient operations and observe their side effects through a covert channel [REF-1400], then the attacker may be able to infer the victim's private data. Private data could include sensitive program data, OS/VMM data, page table data (such as memory addresses), system configuration data (see Demonstrative Example 3), or any other data that the attacker does not have the required privileges to access.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution?+

CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel. Many commodity processors have Instruction Set Architecture (ISA) features that protect software components from one another. These features can include memory segmentation, virtual memory, privilege rings, trusted execution environments, and virtual machines, among others. For example, virtual memory provides each process with its own address space, which prevents processes from accessing each other's private data. Many of these features can be used to form hardware-enforced security boundaries between software components. Many commodity processors also share microarchitectural resources that cache (temporarily store) data, which may be confidential. These resources may be shared across processor contexts, including across SMT threads, privilege rings, or others. When transient operations allow access to ISA-protected data in a shared microarchitectural resource, this might violate users' expectations of the ISA feature that is bypassed. For example, if transient operations can access a victim's private data in a shared microarchitectural resource, then the operations' microarchitectural side effects may correspond to the accessed data. If an attacker can trigger these transient operations and observe their side effects through a covert channel [REF-1400], then the attacker may be able to infer the victim's private data. Private data could include sensitive program data, OS/VMM data, page table data (such as memory addresses), system configuration data (see Demonstrative Example 3), or any other data that the attacker does not have the required privileges to access.

What are the security consequences of Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution?+

If exploited, CWE-1421 (Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution) it can compromise Confidentiality, leading to outcomes such as Read Memory.

How do you prevent or mitigate Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution?+

Recommended mitigations for CWE-1421 include: Hardware designers may choose to engineer the processor's pipeline to prevent architecturally restricted data from being used by operations that can execute transiently. Hardware designers may choose not to share microarchitectural resources that can contain sensitive data, such as fill buffers and store buffers. The hardware designer can attempt to prevent transient execution from causing observable discrepancies in specific covert channels.

How is Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution detected?+

CWE-1421 can be detected using Automated Analysis. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution?+

CWE-1421 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution?+

MITRE documents real CVEs mapped to CWE-1421, including CVE-2017-5715, CVE-2018-3615 and CVE-2019-1135. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1421 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More