CWE-1254

Incorrect Comparison Logic Granularity

AI Translation Available

The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.

Status

draft

Abstraction

base

Affected Platforms

Extended Description

AI Translation

Comparison logic is used to compare a variety of objects including passwords, Message Authentication Codes (MACs), and responses to verification challenges. When comparison logic is implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a comparison failure, an attacker can exploit this implementation to identify when exactly the failure occurred. With multiple attempts, the attacker may be able to guesses the correct password/response to challenge and elevate their privileges.

Technical Details

AI Translation

Common Consequences

confidentiality authorization

Impacts

bypass protection mechanism

Potential Mitigations

Phases:

implementation

Descriptions:

• The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.

AI Generated Translation

Common Consequences

riservatezza autorizzazione

Impacts

elusione del meccanismo di protezione

Potential Mitigations

Phases:

implementazione

Descriptions:

• Il progettista hardware dovrebbe garantire che la logica di confronto sia implementata in modo da confrontare in un'unica operazione, anziché in blocchi più piccoli.

CWE-1254

Common Consequences

Impacts

Potential Mitigations

Common Consequences

Impacts

Potential Mitigations

Iscriviti alla newsletter