CWE-1357: Reliance on Insufficiently Trustworthy Component
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.
常见后果
影响范围: Other
技术影响: Reduce Maintainability
潜在缓解措施
阶段: Requirements Architecture and Design Implementation
描述: For each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors.
阶段: Architecture and Design Implementation Integration Manufacturing
描述: Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
阶段: Operation Patching and Maintenance
描述: Continue to monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, supplier practices that affect trustworthiness, etc.
观察示例
参考: CVE-2020-9054
Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are "end-of-support" and cannot be patched (CWE-1277). [REF-1097]
引入模式
| 阶段 | 说明 |
|---|---|
| Requirements | Requirements might include criteria for which the only available solutions are provided by insufficiently trusted components. |
| Architecture and Design | An insufficiently trusted component might be selected because it is less expensive to do in-house, requires expertise that is not available in-house, or might allow the product to reach the market faster. |
适用平台
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| ISA/IEC 62443 | Part 2-4 | Req SP.03.02 RE(1) | - |
| ISA/IEC 62443 | Part 2-4 | Req SP.03.02 RE(2) | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 1.13 | - |
| ISA/IEC 62443 | Part 4-2 | Req EDR 3.12 | - |
| ISA/IEC 62443 | Part 4-2 | Req HDR 3.12 | - |
| ISA/IEC 62443 | Part 4-2 | Req NDR 3.12 | - |
| ISA/IEC 62443 | Part 4-2 | Req EDR 3.13 | - |
| ISA/IEC 62443 | Part 4-2 | Req HDR 3.13 | - |
| ISA/IEC 62443 | Part 4-2 | Req NDR 3.13 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR-7.8 | - |
| ISA/IEC 62443 | Part 4-1 | Req SM-6 | - |
| ISA/IEC 62443 | Part 4-1 | Req SM-9 | - |
| ISA/IEC 62443 | Part 4-1 | Req SM-10 | - |