CWE-1268 - Policy Privileges are not Assigned Consistently Between Control and Data Agents
CWE-1268
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Draft
- Weakness Name
Policy Privileges are not Assigned Consistently Between Control and Data Agents
- Description
The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.
Integrated circuits and hardware engines may provide access to resources (device-configuration, encryption keys, etc.) belonging to trusted firmware or software modules (commonly set by a BIOS or a bootloader). These accesses are typically controlled and limited by the hardware. Hardware design access control is sometimes implemented using a policy. A policy defines which entity or agent may or may not be allowed to perform an action. When a system implements multiple levels of policies, a control policy may allow direct access to a resource as well as changes to the policies themselves. Resources that include agents in their control policy but not in their write policy could unintentionally allow an untrusted agent to insert itself in the write policy register. Inclusion in the write policy register could allow a malicious or misbehaving agent write access to resources. This action could result in security compromises including leaked information, leaked encryption keys, or modification of device configuration.
- Common Consequences
Scope: Confidentiality, Integrity, Availability, Access Control
Impact: Modify Memory, Read Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Files or Directories, Reduce Reliability
- Related Weaknesses
- Release Date:
- 2020-02-24
- Latest Modification Date:
- 2023-06-29
Free security scan for your website