CWE-1329: Reliance on Component That is Not Updateable
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.
常见后果
影响范围: Confidentiality Integrity Access Control Authentication Authorization Other
技术影响: Gain Privileges or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code or Commands DoS: Crash, Exit, or Restart Quality Degradation Reduce Maintainability
说明: If an attacker can identify an exploitable vulnerability in one product that has no means of patching, the attack may be used against all affected versions of that product.
潜在缓解措施
阶段: Requirements
描述: Specify requirements that each component should be updateable, including ROM, firmware, etc.
阶段: Architecture and Design
描述: Design the product to allow for updating of its components. Include the external infrastructure that might be necessary to support updates, such as distribution servers.
阶段: Architecture and Design Implementation
描述: With hardware, support patches that can be programmed in-field or during manufacturing through hardware fuses. This feature can be used for limited patching of devices after shipping, or for the next batch of silicon devices manufactured, without changing the full device ROM.
有效性: Moderate
阶段: Implementation
描述: Implement the necessary functionality to allow each component to be updated.
检测方法
方法: Architecture or Design Review
Check the consumer or maintainer documentation, the architecture/design documentation, or the original requirements to ensure that the documentation includes details for how to update the firmware.
有效性: Moderate
观察示例
参考: CVE-2020-9054
Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are "end-of-support" and cannot be patched (CWE-1277). [REF-1097]
引入模式
| 阶段 | 说明 |
|---|---|
| Requirements | Requirements development might not consider the importance of updates over the lifetime of the product or might intentionally exclude this capability due to concerns such as expense or speed to market. |
| Architecture and Design | Lack of planning during architecture development and design, or external pressures such as speed to market, could ignore the capability to update. |
| Architecture and Design | Designers might omit capabilities for updating a component due to time pressures to release the product or assumptions about the stability of the component. |
| Implementation | The weakness can appear through oversight during implementation. |