CWE-1328

Security Version Number Mutable to Older Versions
AI Translation Available

Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.

Status
draft
Abstraction
base
Security Hardware Not Technology-Specific

A System-on-Chip (SoC) implements secure boot or verified boot. It might support a security version number, which prevents downgrading the current firmware to a vulnerable version. Once downgraded to a previous version, an adversary can launch exploits on the SoC and thus compromise the security of the SoC. These downgrade attacks are also referred to as roll-back attacks.

The security version number must be stored securely and persistently across power-on resets. A common weakness is that the security version number is modifiable by an adversary, allowing roll-back or downgrade attacks or, under certain circumstances, preventing upgrades (i.e. Denial-of-Service on upgrades). In both cases, the SoC is in a vulnerable state.

Common Consequences

confidentiality integrity authentication authorization
Impacts
other

Detection Methods

automated dynamic analysis architecture or design review

Potential Mitigations

Phases:
architecture and design implementation
Descriptions:
• When architecting the system, security version data should be designated for storage in registers that are either read-only or have access controls that prevent modification by an untrusted agent.
• During implementation and test, security version data should be demonstrated to be read-only and access controls should be validated.