CWE-1384: Improper Handling of Physical or Environmental Conditions

Description

The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.

Hardware products are typically only guaranteed to behave correctly within certain physical limits or environmental conditions. Such products cannot necessarily control the physical or external conditions to which they are subjected. However, the inability to handle such conditions can undermine a product's security. For example, an unexpected physical or environmental condition may cause the flipping of a bit that is used for an authentication decision. This unexpected condition could occur naturally or be induced artificially by an adversary. Physical or environmental conditions of concern are:

Potential Impact

Confidentiality, Integrity, Availability

Varies by Context, Unexpected State

Demonstrative Examples

Below is a representative snippet of C code that is part of the secure-boot flow. A signature of the runtime-firmware image is calculated and compared against a golden value. If the signatures match, the bootloader loads runtime firmware. If there is no match, an error halt occurs. If the underlying hardware executing this code does not contain any circuitry or sensors to detect voltage or clock glitches, an attacker might launch a fault-injection attack right when the signature check is happening (at the location marked with the comment), causing a bypass of the signature-checking process.

Bad

...
          if (signature_matches)  // <-Glitch Here
          {
		  
            load_runtime_firmware();
		  
          }
          else
          {
		  
            do_not_load_runtime_firmware();
		  
          }
          	
          ...

After bypassing secure boot, an attacker can gain access to system assets to which the attacker should not have access.

Good

If the underlying hardware detects a voltage or clock glitch, the information can be used to prevent the glitch from being successful.

Mitigations & Prevention

Requirements

In requirements, be specific about expectations for how the product will perform when it exceeds physical and environmental boundary conditions, e.g., by shutting down.

Architecture and DesignImplementation

Where possible, include independent components that can detect excess environmental conditions and have the capability to shut down the product.

Architecture and DesignImplementation

Where possible, use shielding or other materials that can increase the adversary's workload and reduce the likelihood of being able to successfully trigger a security-related failure.

Real-World CVE Examples

CVE ID	Description
CVE-2019-17391	Lack of anti-glitch protections allows an attacker to launch a physical attack to bypass the secure boot and read protected eFuses.

Frequently Asked Questions

What is CWE-1384?

CWE-1384 (Improper Handling of Physical or Environmental Conditions) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.

How can CWE-1384 be exploited?

Attackers can exploit CWE-1384 (Improper Handling of Physical or Environmental Conditions) to varies by context, unexpected state. This weakness is typically introduced during the Architecture and Design, Manufacturing phase of software development.

How do I prevent CWE-1384?

Key mitigations include: In requirements, be specific about expectations for how the product will perform when it exceeds physical and environmental boundary conditions, e.g., by shutting down.

What is the severity of CWE-1384?

CWE-1384 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.