It’s been an active week for security vulnerabilities, with MITRE and the U.S. Cybersecurity & Infrastructure Agency (CISA) revealing hundreds of critical vulnerabilities.
CISA ordered federal agencies to patch a list of nearly 300 vulnerabilities, and encouraged private organizations to fix them too.
CISA said the list will be updated as any vulnerability meets three criteria:
- The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID
- There is reliable evidence that the vulnerability has been actively exploited in the wild
- There is a clear remediation action for the vulnerability, such as a vendor provided update
The vulnerabilities affect scores of commercial and open source products, quite literally from A to Z, starting with Accellion and ending with ZyXEL.
See our list of the Top Patch Management Tools.
MITRE Takes on Hardware Vulnerabilities
Meanwhile, MITRE and the Hardware CWE Special Interest Group (SIG) published a list of dangerous hardware weaknesses, with the goal of raising awareness and preventing major security issues.
The groups encourage both professionals and consumers to ask suppliers to provide more secure hardware. According to MITRE, managers and CIOs can use the list to measure progress in their efforts to secure their hardware and eliminate the underlying root cause of vulnerabilities.
According to MITRE, “Because hardware is not patchable as easily as software, any flaw discovered after release and production typically cannot be fixed without a recall of the product.”
See our picks for the Top Vulnerability Management Tools.
The full MITRE-CWE list
The unranked list contains 12 entries that categorize data found in hardware programming, design, and architecture. Hackers can exploit these weaknesses to compromise computer systems, exfiltrate data, and even perform DDoS attacks. They are:
- CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC) – multiplexing leads to sharing resources between trusted and untrusted agents.
- CWE-1191: On-Chip Debug and Test Interface With Improper Access Control – the debug interface (JTAG) might be used to bypass on-chip protection to extract information.
- CWE-1231: Improper Prevention of Lock Bit Modification – a hacker might leverage design or coding error to implement the Lock Bit protection feature that write-protect some registers.
- CWE-1233: Security-Sensitive Hardware Controls with Missing Lock Bit Protection – an attacker might use software to access registers and controls and modify the protected hardware configuration.
- CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation – non-standard cryptographic implementation is pretty hard to fix and puts the whole system at risk.
- CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State – untrusted debug agents might access physical debug or test interfaces.
- CWE-1256: Improper Restriction of Software Interfaces to Hardware Features – if the device has improperly secured power management features, an attacker compromises the device without physical access.
- CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges – when the memory protection unit (MPU) logic handles address overlaps incorrectly, allowing lower-privilege software to read or write into protected memory regions that are supposed to be modified by software running at higher privilege only.
- CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition – State transitions can happen from one power or debug state to another, sometimes leading to access to sensitive information available in the previous state.
- CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code – hackers could bypass the secure-boot process and execute their own untrusted, malicious boot code.
- CWE-1277: Firmware Not Updateable – firmware exploitation exposes the victim to a permanent risk without any possibility to patch weaknesses.
- CWE-1300: Improper Protection of Physical Side Channels – An attacker can monitor and measure physical phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions to detect patterns and make inferences.
MITRE said not to think of the list as an ordered set in terms of importance. All weaknesses are generally equal.
Five Other Vulnerability Categories Noted
Five additional categories were not part of the final list but can still be used by analysts to mitigate security issues:
- CWE-226: Sensitive Information in Resource Not Removed Before Reuse – resources such as memory are constantly reallocated, but operating systems do not usually clear the previously written information, leading to an information leak.
- CWE-1247: Improper Protection Against Voltage and Clock Glitches – when circuitry or sensors are implemented incorrectly, allowing fault attacks such as voltage glitches and clock glitches that are used to compromise the system.
- CWE-1262: Improper Access Control for Register Interface – Malicious software can leverage access to hardware functionality (memory-mapped I/O registers).
- CWE-1331: Improper Isolation of Shared Resources in Network On Chip (NoC) – attackers might infer data and introduce network interferences if the Network On Chip (NoC) does not isolate or incorrectly isolate its on-chip-fabric and internal resources.
- CWE-1332: Improper Handling of Faults that Lead to Instruction Skips – when critical mechanisms such as firmware authentication or password verification are altered by a hacker, leading the hardware to skip them more frequently.
How the MITRE List Can Help Mitigate Hardware Vulnerabilities
There are specific tests you can do regularly to help mitigate hardware attacks. It’s called hardware pen-testing, and it usually targets IoT devices such as desktop computers, tablets, smartphones, fax machines, printers, and many other electronics.
Professionals can use the CWE list to identify and mitigate exploitable vulnerabilities. For example, using old devices that do not support secure booting is a security risk.
Hackers may use firmware exploitation to compromise the network, as the firmware links the operating system and the hardware. The most popular firmware is BIOS and UEFI. Firmware exploitation is dangerous because hackers can sometimes exploit vulnerabilities even before the boot sequence.
It’s best if you can buy hardware with enhanced firmware protection (secure and verified boot). The older the firmware, the easier it is to hack. If you can’t update it (e.g., CWE-1277), it’s impossible to patch vulnerabilities, which exposes consumers to permanent risk for as long as the device is in operation.
Further reading: Top Breach and Attack Simulation (BAS) Vendors