Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1323 — Vulnerability Class 2

2 vulnerabilities classified as CWE-1323. AI Chinese analysis included.

CWE-1323 represents a critical weakness where sensitive trace data from System-on-Chip (SoC) components is stored in unprotected locations or transmitted to untrusted agents. This vulnerability arises because trace data, collected to verify complex SoC designs, often contains proprietary architectural details or operational secrets. Attackers typically exploit this by intercepting the data during transport or accessing the insecure storage, thereby gaining unauthorized insight into the system’s internal logic and potential security flaws. To mitigate this risk, developers must implement robust encryption for data in transit and enforce strict access controls for data at rest. Additionally, integrating hardware-based security features that isolate trace data from general-purpose memory and ensuring that only authorized, trusted agents can access these streams are essential practices for preventing information leakage and maintaining the integrity of the SoC design.

MITRE CWE Description
Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents. To facilitate verification of complex System-on-Chip (SoC) designs, SoC integrators add specific IP blocks that trace the SoC's internal signals in real-time. This infrastructure enables observability of the SoC's internal behavior, validation of its functional design, and detection of hardware and software bugs. Such tracing IP blocks collect traces from several sources on the SoC including the CPU, crypto coprocessors, and on-chip fabrics. Traces collected from these sources are then aggregated inside trace IP block and forwarded to trace sinks, such as debug-trace ports that facilitate debugging by external hardware and software debuggers. Since these traces are collected from several security-sensitive sources, they must be protected against untrusted debuggers. If they are stored in unprotected memory, an untrusted software debugger can access these traces and extract secret information. Additionally, if security-sensitive traces are not tagged as secure, an untruste…
Common Consequences (1)
ConfidentialityRead Memory
An adversary can read secret values if they are captured in debug traces and stored unsafely.
Mitigations (1)
ImplementationTag traces to indicate owner and debugging privilege level (designer, OEM, or end user) needed to access that trace.
Examples (1)
In a SoC, traces generated from sources include security-sensitive IP blocks such as CPU (with tracing information such as instructions executed and memory operands), on-chip fabric (e.g., memory-transfer signals, transaction type and destination, and on-chip-firewall-error signa…
The traces do
                        not have any privilege level attached to them. All
                        collected traces can be viewed by any debugger (i.e., SoC
                        designer, OEM debugger, or end user).
Bad · Other
Some of the
                        traces are SoC-design-house secrets, while some are OEM
                        secrets. Few are end-user secrets and the rest are
                        not security-sensitive. Tag all traces with the
                        appropriate, privilege level at the source. The bits
                        indicating the privilege level must be immutable in
                        their transit from trace source to the final, trace
                        sink. Debugger privilege level must be checked before
                        providing access to traces.
Good · Other
CVE IDTitleCVSSSeverityPublished
CVE-2024-54173 IBM MQ information disclosure — MQ 4.7 Medium2025-02-28
CVE-2024-49338 IBM App Connect Enterprise information disclosure — App Connect Enterprise 4.4 Medium2025-01-18

Vulnerabilities classified as CWE-1323 represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.