Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1231 — Vulnerability Class 3

3 vulnerabilities classified as CWE-1231. AI Chinese analysis included.

CWE-1231 represents a critical hardware security weakness where a system fails to permanently secure a lock bit after it has been set to restrict access to sensitive registers or memory regions. This flaw allows attackers to bypass intended protections by modifying the lock bit’s value, effectively re-enabling access to previously locked resources. Exploitation typically occurs during the device configuration phase, where trusted firmware sets these bits post-reset but lacks mechanisms to prevent subsequent tampering. To mitigate this risk, developers must implement immutable locking mechanisms, such as one-time programmable fuses or hardware-enforced write-protection circuits, ensuring that once a lock bit is engaged, it cannot be altered by software or external agents. Rigorous verification of hardware security features during the design and manufacturing phases is essential to prevent unauthorized access and maintain system integrity against sophisticated hardware-level attacks.

MITRE CWE Description
The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set. In integrated circuits and hardware intellectual property (IP) cores, device configuration controls are commonly programmed after a device power reset by a trusted firmware or software module (e.g., BIOS/bootloader) and then locked from any further modification. This behavior is commonly implemented using a trusted lock bit. When set, the lock bit disables writes to a protected set of registers or address regions. Design or coding errors in the implementation of the lock bit protection feature may allow the lock bit to be modified or cleared by software after it has been set. Attackers might be able to unlock the system and features that the bit is intended to protect.
Common Consequences (1)
Access ControlModify Memory
Registers protected by lock bit can be modified even when lock is set.
Mitigations (1)
Architecture and Design, Implementation, TestingSecurity lock bit protections must be reviewed for design inconsistency and common weaknesses. Security lock programming flow and lock properties must be tested in pre-silicon and post-silicon testing.
Effectiveness: High
Examples (2)
Consider the example design below for a digital thermal sensor that detects overheating of the silicon and triggers system shutdown. The system critical temperature limit (CRITICAL_TEMP_LIMIT) and thermal sensor calibration (TEMP_SENSOR_CALIB) data have to be programmed by firmware, and then the register needs to be locked (TEMP_SENSOR_LOCK).
Register Field description CRITICAL_TEMP_LIMIT [31:8] Reserved field; Read only; Default 0 [7:0] Critical temp 0-255 Centigrade; Read-write-lock; Default 125 TEMP_SENSOR_CALIB [31:0] Thermal sensor calibration data. Slope value used to map sensor reading to degrees Centigrade. TEMP_SENSOR_LOCK [31:1] Reserved field; Read only; Default 0 [0] Lock bit, locks CRITICAL_TEMP_LIMIT and TEMP_SENSOR_CALIB registers; Write-1-once; Default 0 TEMP_HW_SHUTDOWN [31:2] Reserved field; Read only; Default 0 [1] Enable hardware shutdown on critical temperature detection; Read-write; Default 0 CURRENT_TEMP [31:
Bad · Other
To fix this weakness, one could change the TEMP_HW_SHUTDOWN field to be locked by TEMP_SENSOR_LOCK. TEMP_HW_SHUTDOWN [31:2] Reserved field; Read only; Default 0 [1] Enable hardware shutdown on critical temperature detection; Read-write-Lock; Default 0 [0] Locked by TEMP_SENSOR_LOCK
Good · Other
The following example code is a snippet from the register locks inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1350]. Register locks help prevent SoC peripherals' registers from malicious use of resources. The registers that can potentially leak secret data are locked by register locks.
always @(posedge clk_i) begin if(~(rst_ni && ~jtag_unlock && ~rst_9)) begin for (j=0; j < 6; j=j+1) begin reglk_mem[j] <= 'h0; end end ...
Bad · Verilog
always @(posedge clk_i) begin if(~(rst_ni && ~jtag_unlock)) begin for (j=0; j < 6; j=j+1) begin reglk_mem[j] <= 'h0; end end ...
Good · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2025-52536 AMD Processors 安全漏洞 — AMD EPYC™ 9004 Series Processors 4.4AIMediumAI2026-02-10
CVE-2024-36354 AMD多款产品 安全漏洞 — AMD Ryzen™ Threadripper™ 3000 Processors 7.5 High2025-09-06
CVE-2022-42285 NVIDIA DGX 安全漏洞 — NVIDIA DGX servers 6.0 Medium2023-01-13

Vulnerabilities classified as CWE-1231 represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.