CWE-1296: Incorrect Chaining or Granularity of Debug Components

Base Incomplete Simple

CWE版本: 4.18

更新日期: 2025-09-09

弱点描述

The product's debug components contain incorrect chaining or granularity of debug components.

常见后果

影响范围: Confidentiality Integrity Access Control Authentication Authorization Availability Accountability

技术影响: Gain Privileges or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code or Commands Modify Memory Modify Files or Directories

说明: Depending on the access to debug component(s) erroneously granted, an attacker could use the debug component to gain additional understanding about the system to further an attack and/or execute other commands. This could compromise any security property, including the ones listed above.

潜在缓解措施

阶段: Implementation

描述: Ensure that debug components are properly chained and their granularity is maintained at different authentication levels.

检测方法

方法: Architecture or Design Review

Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.

有效性: High

方法: Dynamic Analysis with Manual Results Interpretation

Appropriate Post-Si tests should be carried out at various authorization levels to ensure that debug components are properly chained and accessible only to users with appropriate credentials.

有效性: High

观察示例

参考: CVE-2017-18347

Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 series devices allows physically present attackers to extract the device's protected firmware via a special sequence of Serial Wire Debug (SWD) commands because there is a race condition between full initialization of the SWD interface and the setup of flash protection.

参考: CVE-2020-1791

There is an improper authorization vulnerability in several smartphones. The system has a logic-judging error, and, under certain scenarios, a successful exploit could allow the attacker to switch to third desktop after a series of operations in ADB mode. (Vulnerability ID: HWPSIRT-2019-10114).

引入模式

阶段 说明
Implementation -

适用平台

编程语言
Verilog (Undetermined) VHDL (Undetermined) Not Language-Specific (Undetermined)
操作系统
Not OS-Specific (Undetermined)
技术
Processor Hardware (Undetermined) Not Technology-Specific (Undetermined)
关键信息

CWE ID: CWE-1296

抽象级别: Base

结构: Simple

状态: Incomplete

相关弱点
ChildOf CWE-284

Improper Access Control

Pillar
相关攻击模式
CAPEC-121 CAPEC-702
返回列表