Reliance on Component That is Not Updateable

The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.


Description

If the component is discovered to contain a vulnerability or critical bug, but the issue cannot be fixed using an update or patch, then the product's owner will not be able to protect against the issue. The only option might be replacement of the product, which could be too financially or operationally expensive for the product owner. As a result, the inability to patch or update can leave the product open to attacker exploitation or critical operation failures. This weakness can be especially difficult to manage when using ROM, firmware, or similar components that traditionally have had limited or no update capabilities.

In industries such as healthcare, "legacy" devices can be operated for decades. As a US task force report [REF-1197] notes, "the inability to update or replace equipment has both large and small health care delivery organizations struggle with numerous unsupported legacy systems that cannot easily be replaced (hardware, software, and operating systems) with large numbers of vulnerabilities and few modern countermeasures."

While hardware can be prone to this weakness, software systems can also be affected, such as when a third-party driver or library is no longer actively maintained or supported but is still critical for the required functionality.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

A refrigerator has an Internet interface for the official purpose of alerting the manufacturer when that refrigerator detects a fault. Because the device is attached to the Internet, the refrigerator is a target for hackers who may wish to use the device other potentially more nefarious purposes.

The refrigerator has no means of patching and is hacked becoming a spewer of email spam.
The device automatically patches itself and provides considerable more protection against being hacked.

Example Two

A System-on-Chip (SOC) implements a Root-of-Trust (RoT) in ROM to boot secure code. However, at times this ROM code might have security vulnerabilities and need to be patched. Since ROM is immutable, it can be impossible to patch.

ROM does not have built-in application-programming interfaces (APIs) to patch if the code is vulnerable. Implement mechanisms to patch the vulnerable ROM code.

Example Three

The example code is taken from the JTAG module of the buggy OpenPiton SoC of HACK@DAC'21. JTAG is protected with a password checker. Access to JTAG operations will be denied unless the correct password is provided by the user. This user-provided password is first sent to the HMAC module where it is hashed with a secret crypto key. This user password hash (pass_hash) is then compared with the hash of the correct password (exp_hash). If they match, JTAG will then be unlocked.

module dmi_jtag(...)(...);
...



      PassChkValid: begin
      if(hashValid) begin


          if(exp_hash == pass_hash) begin

            pass_check = 1'b1;

          end else begin

            pass_check = 1'b0;

          end
          state_d = Idle;

        end else begin
        state_d = PassChkValid;
        end

      end



...

  hmac hmac(

...


    .key_i(256'h24e6fa2254c2ff632a41b...),


...

  );

...
endmodule

However, the SoC's crypto key is hardcoded into the design and cannot be updated [REF-1387]. Therefore, if the key is leaked somehow, there is no way to reprovision the key without having the device replaced.

To fix this issue, a local register should be used (hmac_key_reg) to store the crypto key. If designers need to update the key, they can upload the new key through an input port (hmac_key_i) to the local register by enabling the patching signal (hmac_patch_en) [REF-1388].

module dmi_jtag(...
) (

  input logic [255:0] hmac_key_i,
  input logic         hmac_patch_en,
  ...
  reg [255:0] hmac_key_reg;
  ...

);
...

  always_ff @(posedge tck_i or negedge trst_ni) begin
  ...
  if (hmac_patch_en)

    hmac_key_reg <= hmac_key_i;

  ...
  end

...

  hmac hmac(
  ...
  .key_i(hmac_key_reg),
  ...
  );

...
endmodule

See Also

Comprehensive Categorization: Resource Control

Weaknesses in this category are related to resource control.

ICS Dependencies (& Architecture): External Digital Systems

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in Mar...

Cross-Cutting Problems

Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses Introduced During Implementation

This view (slice) lists weaknesses that can be introduced during implementation.

Weaknesses Introduced During Design

This view (slice) lists weaknesses that can be introduced during design.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.