1. Home
  2. CWE Database
  3. CWE-1272
Base · Medium

CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition

The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.

CWE-1272 · Base Level ·1 CVEs ·1 Mitigations

Description

The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.

A device or system frequently employs many power and sleep states during its normal operation (e.g., normal power, additional power, low power, hibernate, deep sleep, etc.). A device also may be operating within a debug condition. State transitions can happen from one power or debug state to another. If there is information available in the previous state which should not be available in the next state and is not properly removed before the transition into the next state, sensitive information may leak from the system.

Potential Impact

Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation

Read Memory, Read Application Data

Demonstrative Examples

This example shows how an attacker can take advantage of an incorrect state transition.
Bad
During the transition from A to B, the device does not scrub the memory.
Good
For transition from state A to state B, remove information which should not be available once the transition is complete.

Mitigations & Prevention

Architecture and DesignImplementation

During state transitions, information not needed in the next state should be removed before the transition to the next state.

Detection Methods

  • Manual Analysis High — Write a known pattern into each sensitive location. Enter the power/debug state in question. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the device needs to be fixed. Note that this

Real-World CVE Examples

CVE IDDescription
CVE-2020-12926Product software does not set a flag as per TPM specifications, thereby preventing a failed authorization attempt from being recorded after a loss of power.

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not cle...

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that informati...

Frequently Asked Questions

What is CWE-1272?

CWE-1272 (Sensitive Information Uncleared Before Debug/Power State Transition) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.

How can CWE-1272 be exploited?

Attackers can exploit CWE-1272 (Sensitive Information Uncleared Before Debug/Power State Transition) to read memory, read application data. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-1272?

Key mitigations include: During state transitions, information not needed in the next state should be removed before the transition to the next state.

What is the severity of CWE-1272?

CWE-1272 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.