1. Home
  2. Weaknesses
  3. CWE-1268

CWE-1268: Policy Privileges are not Assigned Consistently Between Control and Data Agents

ID CWE-1268
Abstraction Base
Structure Simple
Status Draft
Detail Web & Social
The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.

Integrated circuits and hardware engines may provide access to resources (device-configuration, encryption keys, etc.) belonging to trusted firmware or software modules (commonly set by a BIOS or a bootloader). These accesses are typically controlled and limited by the hardware. Hardware design access control is sometimes implemented using a policy. A policy defines which entity or agent may or may not be allowed to perform an action. When a system implements multiple levels of policies, a control policy may allow direct access to a resource as well as changes to the policies themselves.

Resources that include agents in their control policy but not in their write policy could unintentionally allow an untrusted agent to insert itself in the write policy register. Inclusion in the write policy register could allow a malicious or misbehaving agent write access to resources. This action could result in security compromises including leaked information, leaked encryption keys, or modification of device configuration.

Modes of Introduction

Phase Note
Architecture and Design This weakness may be introduced during the design of a device when the architect does not comprehensively specify all of the policies required by an agent.
Implementation This weakness may be introduced during implementation if device policy restrictions do not sufficiently constrain less-privileged clients.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific
Operating_system Not OS-Specific
Architecture Not Architecture-Specific
Technology Not Technology-Specific

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-284 Improper Access Control Pillar Simple Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels CWE-1268