目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-1332 类漏洞列表 2

CWE-1332 类弱点 2 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1332属于硬件安全漏洞,指设备缺乏检测或缓解关键CPU指令跳过的机制。在电压波动或温度异常等环境变化下,攻击者可利用此缺陷诱导处理器跳过安全指令,从而绕过访问控制或完整性校验。开发者应通过增强硬件容错设计、增加指令校验逻辑及优化电源管理电路,确保关键指令在异常条件下不被跳过,以维持系统安全。

MITRE CWE 官方描述
CWE:CWE-1332 未能正确处理导致指令跳过的故障 该设备缺失或错误地实现了用于检测和缓解安全关键型 CPU 指令在发生时被跳过的电路或传感器。 硬件的操作条件可能会以引发意外行为的方式发生变化,包括安全关键型 CPU 指令的跳过。通常,这可能是由于电气干扰或设备在其预期条件之外运行所致。在实践中,应用程序代码可能包含对安全敏感的分支(例如,接受或拒绝用户提供的密码)。这些条件分支通常在程序二进制文件中由单个条件分支指令实现,如果该指令被跳过,可能会导致分支条件被有效翻转——即导致执行了错误的、对安全敏感的分支。这会影响固件认证、密码验证以及其他安全敏感决策点等过程。攻击者可以利用故障注入技术来改变硬件的操作条件,从而使安全关键型指令比在“自然”环境下更频繁或更可靠地被跳过。
常见影响 (1)
Confidentiality, Integrity, AuthenticationBypass Protection Mechanism, Alter Execution Logic, Unexpected State
Depending on the context, instruction skipping can have a broad range of consequences related to the generic bypassing of security critical code.
缓解措施 (5)
Architecture and DesignDesign strategies for ensuring safe failure if inputs, such as Vcc, are modified out of acceptable ranges.
Architecture and DesignDesign strategies for ensuring safe behavior if instructions attempt to be skipped.
Architecture and DesignIdentify mission critical secrets that should be wiped if faulting is detected, and design a mechanism to do the deletion.
ImplementationAdd redundancy by performing an operation multiple times, either in space or time, and perform majority voting. Additionally, make conditional instruction timing unpredictable.
ImplementationUse redundant operations or canaries to detect and respond to faults.
代码示例 (1)
A smart card contains authentication credentials that are used as authorization to enter a building. The credentials are only accessible when a correct PIN is presented to the card.
The card emits the credentials when a voltage anomaly is injected into the power line to the device at a particular time after providing an incorrect PIN to the card, causing the internal program to accept the incorrect PIN.
Bad · Other
add an internal filter or internal power supply in series with the power supply pin on the device add sensing circuitry to reset the device if out of tolerance conditions are detected add additional execution sensing circuits to monitor the execution order for anomalies and abort the action or reset the device under fault conditions
Good · Other
CVE ID标题CVSS风险等级Published
CVE-2024-20060 MediaTek 芯片 安全漏洞 — MT6580, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT6989, MT8188, MT8370, MT8390 6.7AIMediumAI2024-05-06
CVE-2024-20059 MediaTek 芯片 安全漏洞 — MT6580, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT6989, MT8188, MT8370, MT8390 6.7AIMediumAI2024-05-06

CWE-1332 是常见的弱点类别,本平台收录该类弱点关联的 2 条 CVE 漏洞。