Description
The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.
Adversaries could bypass the secure-boot process and execute their own untrusted, malicious boot code. As a part of a secure-boot process, the read-only-memory (ROM) code for a System-on-Chip (SoC) or other system fetches bootloader code from Non-Volatile Memory (NVM) and stores the code in Volatile Memory (VM), such as dynamic, random-access memory (DRAM) or static, random-access memory (SRAM). The NVM is usually external to the SoC, while the VM is internal to the SoC. As the code is transferred from NVM to VM, it is authenticated by the SoC's ROM code.
Potential Impact
Access Control, Integrity
Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity
Demonstrative Examples
The volatile-memory protections or access controls are insufficient.A good architecture should define appropriate protections or access controls to prevent modification by an adversary or untrusted agent, once the bootloader is authenticated.Mitigations & Prevention
Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code.
Test the volatile-memory protections to ensure they are safe from modification or untrusted code.
Detection Methods
- Manual Analysis High — Ensure the volatile memory is lockable or has locks. Ensure the volatile memory is locked for writes from untrusted agents or adversaries. Try modifying the volatile memory from an untrusted agent, and ensure these writes are dropped.
- Manual Analysis Moderate — Analyze the device using the following steps: Only trusted masters should be allowed to write to the memory regions. For example, pluggable device peripherals should not have write access to program load memory regions.
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2019-2267 | Locked memory regions may be modified through other interfaces in a secure-boot-loader image due to improper access control. |
Related Weaknesses
Frequently Asked Questions
What is CWE-1274?
CWE-1274 (Improper Access Control for Volatile Memory Containing Boot Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections...
How can CWE-1274 be exploited?
Attackers can exploit CWE-1274 (Improper Access Control for Volatile Memory Containing Boot Code) to modify memory, execute unauthorized code or commands, gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-1274?
Key mitigations include: Ensure that the design of volatile-memory protections is enough to prevent modification from an adversary or untrusted code.
What is the severity of CWE-1274?
CWE-1274 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.