1. Home
  2. CWE Database
  3. CWE-1242
Base · Medium

CWE-1242: Inclusion of Undocumented Features or Chicken Bits

The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

CWE-1242 · Base Level ·1 Mitigations

Description

The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

A common design practice is to use undocumented bits on a device that can be used to disable certain functional security features. These bits are commonly referred to as "chicken bits". They can facilitate quick identification and isolation of faulty components, features that negatively affect performance, or features that do not provide the required controllability for debug and test. Another way to achieve this is through implementation of undocumented features.

Potential Impact

Confidentiality, Integrity, Availability, Access Control

Modify Memory, Read Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Bypass Protection Mechanism

Demonstrative Examples

Consider a device that comes with various security measures, such as secure boot. The secure-boot process performs firmware-integrity verification at boot time, and this code is stored in a separate SPI-flash device. However, this code contains undocumented "special access features" intended to be used only for performing failure analysis and intended to only be unlocked by the device designer.
Bad
Attackers dump the code from the device and then perform reverse engineering to analyze the code. The undocumented, special-access features are identified, and attackers can activate them by sending specific commands via UART before secure-boot phase completes. Using these hidden features, attackers can perform reads and writes to memory via the UART interface. At runtime, the attackers can also execute arbitrary code and dump the entire memory contents.
Remove all chicken bits and hidden features that are exposed to attackers. Add authorization schemes that rely on cryptographic primitives to access any features that the manufacturer does not want to expose. Clearly document all interfaces.

Mitigations & Prevention

Architecture and DesignImplementation High

The implementation of chicken bits in a released product is highly discouraged. If implemented at all, ensure that they are disabled in production devices. All interfaces to a device should be documented.

CWE-912: Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an ...

Taxonomy Mappings

  • ISA/IEC 62443: Part 4-1 — Req SD-4
  • ISA/IEC 62443: Part 4-1 — Req SVV-3
  • ISA/IEC 62443: Part 4-2 — Req CR 2.12

Frequently Asked Questions

What is CWE-1242?

CWE-1242 (Inclusion of Undocumented Features or Chicken Bits) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.

How can CWE-1242 be exploited?

Attackers can exploit CWE-1242 (Inclusion of Undocumented Features or Chicken Bits) to modify memory, read memory, execute unauthorized code or commands, gain privileges or assume identity, bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation, Documentation phase of software development.

How do I prevent CWE-1242?

Key mitigations include: The implementation of chicken bits in a released product is highly discouraged. If implemented at all, ensure that they are disabled in production devices. All interfaces to a device should be documen

What is the severity of CWE-1242?

CWE-1242 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.