Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1244
Short description
Extended description
Debug authorization can have multiple levels of access, defined such that different system internal assets are accessible based on the current authorized debug level. Other than debugger authentication (e.g., using passwords or challenges), the authorization can also be based on the system state or boot stage. For example, full system debug access might only be allowed early in boot after a system reset to ensure that previous session data is not accessible to the authenticated debugger.
If this protection mechanism does not ensure that internal assets have the correct debug access level during each boot stage or change in system state, an attacker could obtain sensitive information from the internal asset using a debugger.
Best practices to prevent this CWE
Phase: Architecture and Design; Implementation
Effectiveness: High
Phase: Architecture and Design
Apply blinding or masking techniques in strategic areas.
Effectiveness: Limited
Phase: Implementation
Add shielding or tamper-resistant protections to the device, which increases the difficulty and cost for accessing debug/test interfaces.