MITRE and CISA publish the 2021 list of most common hardware weaknesses

Pierluigi Paganini October 30, 2021

MITRE and CISA announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list.

MITRE and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have announced the release of the “2021 Common Weakness Enumeration (CWE) Most Important Hardware Weaknesses” list.

The list was published with the intent of raising awareness of common hardware weaknesses through CWE and educating designers and programmers on how to address them as part of the product development lifecycle. 

The list includes a total of 12 vulnerabilities entries that had a score from 1.03 to 1.42 (the highest possible score was 2.0).

Below is the list of weaknesses shared by the two organizations order by CWE identifier:

CWE-1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1191On-Chip Debug and Test Interface With Improper Access Control
CWE-1231Improper Prevention of Lock Bit Modification
CWE-1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1240Use of a Cryptographic Primitive with a Risky Implementation
CWE-1244Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1256Improper Restriction of Software Interfaces to Hardware Features
CWE-1260Improper Handling of Overlap Between Protected Memory Ranges
CWE-1272Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1274Improper Access Control for Volatile Memory Containing Boot Code
CWE-1277Firmware Not Updateable
CWE-1300Improper Protection of Physical Side Channels

CIOs and security managers could also use the list to assess the efficiency of their program to secure hardware within in their organizations.

The experts also shared a list of additional five weaknesses, included in the Hardware Weaknesses on the Cusp, that should be addressed by risk managers.

CWE-226Sensitive Information in Resource Not Removed Before Reuse
CWE-1247Improper Protection Against Voltage and Clock Glitches
CWE-1262Improper Access Control for Register Interface
CWE-1331Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1332Improper Handling of Faults that Lead to Instruction Skips

“The 2021 CWE™ Most Important Hardware Weaknesses is the first of its kind and the result of collaboration within the Hardware CWE Special Interest Group (SIG), a community forum for individuals representing organizations within hardware design, manufacturing, research, and security domains, as well as academia and government.” reads the announcement.

“Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hardware Weaknesses)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment