Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1299 — Vulnerability Class 9

9 vulnerabilities classified as CWE-1299. AI Chinese analysis included.

CWE-1299 represents a critical architectural weakness where hardware assets lack adequate security controls on secondary access paths, such as shadow registers or external debugging interfaces. This vulnerability enables attackers to circumvent primary access controls by exploiting these unprotected alternate routes to read, modify, or execute privileged operations on sensitive data. Typically, exploitation occurs when adversaries leverage physical access or compromised debug tools to interact directly with these hidden hardware mechanisms, effectively bypassing software-enforced security boundaries. To mitigate this risk, developers must implement comprehensive hardware security measures across all potential access vectors, ensuring that alternate interfaces are rigorously authenticated and encrypted. Regular hardware audits and strict adherence to secure design principles are essential to eliminate these blind spots and protect critical assets from unauthorized hardware-level intrusion.

MITRE CWE Description
The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path. An asset inside a chip might have access-control protections through one interface. However, if all paths to the asset are not protected, an attacker might compromise the asset through alternate paths. These alternate paths could be through shadow or mirror registers inside the IP core, or could be paths from other external-facing interfaces to the IP core or SoC. Consider an SoC with various interfaces such as UART, SMBUS, PCIe, USB, etc. If access control is implemented for SoC internal registers only over the PCIe interface, then an attacker could still modify the SoC internal registers through alternate paths by coming through interfaces such as UART, SMBUS, USB, etc. Alternatively, attackers might be able to bypass existing protections by exploiting unprotected, shadow registers. Shadow registers and mirror registers typically refer to registers that can be accessed from mul…
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlModify Memory, Read Memory, DoS: Resource Consumption (Other), Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Alter Execution Logic, Bypass Protection Mechanism, Quality Degradation
Mitigations (3)
RequirementsProtect assets from accesses against all potential interfaces and alternate paths.
Effectiveness: Defense in Depth
Architecture and DesignProtect assets from accesses against all potential interfaces and alternate paths.
Effectiveness: Defense in Depth
ImplementationProtect assets from accesses against all potential interfaces and alternate paths.
Effectiveness: Defense in Depth
Examples (1)
Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an a…
module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @* acl_oh_allowlist <= 32'h8312; assign addr_auth = (address == 32'hF00) ? 1: 0; always @ (posedge clk or negedge rst_n) if (!rst_n) begin q <= 32'h0; data_out <= 32'h0; end else begin q <= (addr_auth & write_auth) ? data_in: q; data_out <= q; end end endmodule
Informative · Verilog
assign addr_auth = (address == 32'hF00) ? 1: 0;
Bad · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2025-41697 Shell access to UART Console — FL SWITCH 2005 6.8 Medium2025-12-09
CVE-2025-1073 Panasonic IR Control Hub 安全漏洞 — IR Control Hub (IR Blaster) 7.5 High2025-04-10
CVE-2025-26409 Access to Bootloader and Shell Over Serial Interface — Wattsense Bridge 6.8 -2025-02-11
CVE-2024-47944 Missing Protection Mechanism for Alternate Hardware Interface — IoT Interface & CMC III Processing Unit 6.8 -2024-10-15
CVE-2024-39723 IBM FlashSystem denial of service — Storage Virtualize 4.6 Medium2024-07-08
CVE-2023-29063 Lack of DMA Access Protections — FACSChorus 2.4 Low2023-11-28
CVE-2023-29060 Lack of USB Whitelisting — FACSChorus 5.4 Medium2023-11-28
CVE-2022-43557 BD BodyGuard™ Pumps – RS-232 Interface Vulnerability — BodyGuard™ Pump 5.3 Medium2022-12-05
CVE-2021-3788 Binatone Motorola-branded Camera 授权问题漏洞 — Binatone Hubble Cameras 6.8 Medium2021-11-12

Vulnerabilities classified as CWE-1299 represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.