1. Home
  2. CWE Database
  3. CWE-1266
Base · Medium

CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device

The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insuffici...

CWE-1266 · Base Level ·3 Mitigations

Description

The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.

When a product is decommissioned - i.e., taken out of service - best practices or regulatory requirements may require the administrator to remove or overwrite sensitive data first, i.e. "scrubbing." Improper scrubbing of sensitive data from a decommissioned device leaves that data vulnerable to acquisition by a malicious actor. Sensitive data may include, but is not limited to, device/manufacturer proprietary information, user/device credentials, network configurations, and other forms of sensitive data.

Potential Impact

Confidentiality

Read Memory

Mitigations & Prevention

Architecture and Design

Functionality to completely scrub data from a product at the conclusion of its lifecycle should be part of the design phase. Trying to add this function on top of an existing architecture could lead to incomplete removal of sensitive information/data.

Policy

The manufacturer should describe the location(s) where sensitive data is stored and the policies and procedures for its removal. This information may be conveyed, for example, in an Administrators Guide or a Statement of Volatility.

Implementation

If the capability to wipe sensitive data isn't built-in, the manufacturer may need to provide a utility to scrub sensitive data from storage if that data is located in a place which is non-accessible by the administrator. One example of this could be when sensitive data is stored on an EEPROM for which there is no user/admin interface provided by the system.

CWE-404: Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

Frequently Asked Questions

What is CWE-1266?

CWE-1266 (Improper Scrubbing of Sensitive Data from Decommissioned Device) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insuffici...

How can CWE-1266 be exploited?

Attackers can exploit CWE-1266 (Improper Scrubbing of Sensitive Data from Decommissioned Device) to read memory. This weakness is typically introduced during the Architecture and Design, Policy, Implementation phase of software development.

How do I prevent CWE-1266?

Key mitigations include: Functionality to completely scrub data from a product at the conclusion of its lifecycle should be part of the design phase. Trying to add this function on top of an existing architecture could lead t

What is the severity of CWE-1266?

CWE-1266 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.