1. Home
  2. CWE Database
  3. CWE-1301
Base · Medium

CWE-1301: Insufficient or Incomplete Data Removal within Hardware Component

The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.

CWE-1301 · Base Level ·1 CVEs ·2 Mitigations

Description

The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.

Physical properties of hardware devices, such as remanence of magnetic media, residual charge of ROMs/RAMs, or screen burn-in may still retain sensitive data after a data removal process has taken place and power is removed. Recovering data after erasure or overwriting is possible due to a phenomenon called data remanence. For example, if the same value is written repeatedly to a memory location, the corresponding memory cells can become physically altered to a degree such that even after the original data is erased that data can still be recovered through physical characterization of the memory cells.

Potential Impact

Confidentiality

Read Memory, Read Application Data

Mitigations & Prevention

Architecture and Design

Apply blinding or masking techniques to implementations of cryptographic algorithms.

Implementation

Alter the method of erasure, add protection of media, or destroy the media to protect the data.

Real-World CVE Examples

CVE IDDescription
CVE-2019-8575Firmware Data Deletion Vulnerability in which a base station factory reset might not delete all user information. The impact of this enables a new owner of a used device that has been "factory-default

CWE-226: Sensitive Information in Resource Not Removed Before Reuse

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not cle...

Frequently Asked Questions

What is CWE-1301?

CWE-1301 (Insufficient or Incomplete Data Removal within Hardware Component) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.

How can CWE-1301 be exploited?

Attackers can exploit CWE-1301 (Insufficient or Incomplete Data Removal within Hardware Component) to read memory, read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1301?

Key mitigations include: Apply blinding or masking techniques to implementations of cryptographic algorithms.

What is the severity of CWE-1301?

CWE-1301 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.