CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.
常见后果
影响范围: Confidentiality Integrity Availability Access Control Accountability Authentication Authorization Non-Repudiation
技术影响: Read Memory Read Application Data
说明: Sensitive information may be used to unlock additional capabilities of the device and take advantage of hidden functionalities which could be used to compromise device security.
潜在缓解措施
阶段: Architecture and Design Implementation
描述: During state transitions, information not needed in the next state should be removed before the transition to the next state.
检测方法
方法: Manual Analysis
Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this test can likely be automated.
有效性: High
观察示例
参考: CVE-2020-12926
Product software does not set a flag as per TPM specifications, thereby preventing a failed authorization attempt from being recorded after a loss of power.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
适用平台
编程语言
操作系统
技术
关键信息
CWE ID: CWE-1272
抽象级别: Base
结构: Simple
状态: Stable