1. Home
  2. CWE Database
  3. CWE-1254
Base · Medium

CWE-1254: Incorrect Comparison Logic Granularity

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation ma...

CWE-1254 · Base Level ·3 CVEs ·1 Mitigations

Description

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.

Comparison logic is used to compare a variety of objects including passwords, Message Authentication Codes (MACs), and responses to verification challenges. When comparison logic is implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a comparison failure, an attacker can exploit this implementation to identify when exactly the failure occurred. With multiple attempts, the attacker may be able to guesses the correct password/response to challenge and elevate their privileges.

Potential Impact

Confidentiality, Authorization

Bypass Protection Mechanism

Mitigations & Prevention

Implementation

The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.

Real-World CVE Examples

CVE IDDescription
CVE-2019-10482Smartphone OS uses comparison functions that are not in constant time, allowing side channels
CVE-2019-10071Java-oriented framework compares HMAC signatures using String.equals() instead of a constant-time algorithm, causing timing discrepancies
CVE-2014-0984Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force att

CWE-208: Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an ac...

CWE-697: Incorrect Comparison

The product compares two entities in a security-relevant context, but the comparison is incorrect.

Frequently Asked Questions

What is CWE-1254?

CWE-1254 (Incorrect Comparison Logic Granularity) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation ma...

How can CWE-1254 be exploited?

Attackers can exploit CWE-1254 (Incorrect Comparison Logic Granularity) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-1254?

Key mitigations include: The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.

What is the severity of CWE-1254?

CWE-1254 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.