Security

MITRE and CISA publish the 2021 list of most common hardware weaknesses

MITRE and CISA announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list.

MITRE and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list.

The list was published with the intent of raising awareness of common hardware weaknesses through CWE and educating designers and programmers on how to address them as part of the product development lifecycle. 

The list includes a total of 12 vulnerabilities entries that had a score from 1.03 to 1.42 (the highest possible score was 2.0).

Below is the list of weaknesses shared by the two organizations order by CWE identifier:

CWE-1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1191On-Chip Debug and Test Interface With Improper Access Control
CWE-1231Improper Prevention of Lock Bit Modification
CWE-1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1240Use of a Cryptographic Primitive with a Risky Implementation
CWE-1244Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1256Improper Restriction of Software Interfaces to Hardware Features
CWE-1260Improper Handling of Overlap Between Protected Memory Ranges
CWE-1272Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1274Improper Access Control for Volatile Memory Containing Boot Code
CWE-1277Firmware Not Updateable
CWE-1300Improper Protection of Physical Side Channels

CIOs and security managers could also use the list to assess the efficiency of their program to secure hardware within in their organizations.

The experts also shared a list of additional five weaknesses, included in the Hardware Weaknesses on the Cusp, that should be addressed by risk managers.

CWE-226Sensitive Information in Resource Not Removed Before Reuse
CWE-1247Improper Protection Against Voltage and Clock Glitches
CWE-1262Improper Access Control for Register Interface
CWE-1331Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1332Improper Handling of Faults that Lead to Instruction Skips

“The 2021 CWE™ Most Important Hardware Weaknesses is the first of its kind and the result of collaboration within the Hardware CWE Special Interest Group (SIG), a community forum for individuals representing organizations within hardware design, manufacturing, research, and security domains, as well as academia and government.” reads the announcement.

“Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hardware Weaknesses)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

8 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

11 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

20 hours ago

Kosovo authorities extradited admin of the cybercrime marketplace BlackDB.cc

Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…

21 hours ago

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

1 day ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

1 day ago