CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Most Important Hardware Weaknesses (2021)  
ID

2021 CWE Most Important Hardware Weaknesses

Introduction

CWE Most Important Hardware Weaknesses (2021)

The 2021 CWE™ Most Important Hardware Weaknesses is the first of its kind and the result of collaboration within the Hardware CWE Special Interest Group (SIG), a community forum for individuals representing organizations within hardware design, manufacturing, research, and security domains, as well as academia and government.

The goals for the 2021 Hardware List are to drive awareness of common hardware weaknesses through CWE, and to prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle. Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Finally, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause.

MITRE maintains the CWE web site with the support of the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), presenting detailed descriptions of the 2021 Hardware List weaknesses along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 900 programming, design, and architecture weaknesses that can lead to exploitable vulnerabilities. MITRE also publishes the CWE Top-25 Most Dangerous Software Weaknesses on an annual basis.

The 2021 CWE Most Important Hardware Weaknesses

Below is a brief listing of the weaknesses in the 2021 CWE Most Important Hardware Weaknesses listed in numerical order by CWE identifier. This is an unranked list.

CWE-1189Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1191On-Chip Debug and Test Interface With Improper Access Control
CWE-1231Improper Prevention of Lock Bit Modification
CWE-1233Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1240Use of a Cryptographic Primitive with a Risky Implementation
CWE-1244Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1256Improper Restriction of Software Interfaces to Hardware Features
CWE-1260Improper Handling of Overlap Between Protected Memory Ranges
CWE-1272Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1274Improper Access Control for Volatile Memory Containing Boot Code
CWE-1277Firmware Not Updateable
CWE-1300Improper Protection of Physical Side Channels

Methodology

The initial survey effort to begin the identification of a “Top-N” list for hardware was done by members of the SIG who each chose a prioritized set of 10 weaknesses from the 96 hardware entries in the CWE corpus. This process identified a total of 31 unique entries. The HW CWE team also provided a set of questions for participants to weigh during their thinking, including those applicable to prevalence and detection metrics, mitigation metrics, exploitability metrics, and other miscellaneous metrics. From an initial set of 27 questions, the SIG members identified 9 as particularly significant in their consideration for voting on the list:

  1. How frequently is this weakness detected after it has been fielded?
  2. Does the weakness require hardware modifications to mitigate it?
  3. How frequently is this weakness detected during design?
  4. How frequently is this weakness detected during test?
  5. Can the weakness be mitigated once the device has been fielded?
  6. Is physical access required to exploit this weakness?
  7. Can an attack exploiting this weakness be conducted entirely via software?
  8. Is a single exploit against this weakness applicable to a wide range (or family) of devices?
  9. What methodologies do you practice for identifying and preventing both known weaknesses and new weaknesses?

When reflecting on the 31 entries identified during the initial survey, the SIG determined that the ideal length for a published “Top-N” list should be approximately ten percent of the total hardware CWE entries – roughly 10. Accordingly, the SIG convened to hold a formal voting session to distill the previously selected 31 entries in September 2021. Using a card-sorting platform and a Likert-scale approach, each SIG member had the opportunity to transfer the 31 entries into various "buckets" of priority (via drag and drop). There were five buckets:

  • Strongly Support – (for inclusion in the Top-N)
  • Somewhat Support
  • No Opinion
  • Somewhat Oppose
  • Strongly Oppose

After the voting, the CWE team and SIG members collectively reviewed the findings and applied a scoring method where the buckets were assigned weights of +2, +1, 0, -1, and -2, respectively. For each CWE entry, these weights were multiplied against the percentage of votes in each bucket, with the percentage expressed as a value between 0 and 1. The highest possible score was 2.0 (with 100% of all votes for “Strongly Support”). The entry with the highest score had a score of 1.42. This resulted in a ranked order of the 31 previously selected hardware CWEs with a clear delineation in score after the highest 12 and the highest 17 entries. The highest 12 entries had scores from 1.03 to 1.42, and the next 5 entries ranges from 0.91 to 0.97. The next highest score was 0.80. These entries became the 2021 CWE Most Important Hardware Weaknesses List and the Hardware Weaknesses on the Cusp (see above and below). While our methodology came up with a ranking for these 12(+5) entries, the HW CWE team and the SIG believe that it is impractical to think of the list as a hierarchical, ordered set in terms of importance. The entries should be thought of as a set of mostly equal hardware weakness concerns based on our methodology.

With these criteria, future versions of the CWE Most Important Hardware Weaknesses will evolve to cover different weaknesses. Our goal is to provide the most useful list possible for the community. Limitations of our methodology are articulated below.

Weaknesses on the Cusp

In a similar way to the CWE Top 25 Most Dangerous Software Weaknesses, the CWE team feels it is important to share these five additional hardware weaknesses that were supported by the Hardware CWE SIG yet ultimately scored just outside of the final 2021 CWE Most Important Hardware Weaknesses list.

Individuals that perform mitigation and risk decision-making using the 2021 CWE Hardware List may want to consider including these additional weaknesses in their analyses. Weaknesses on the Cusp are listed in numerical order by CWE-ID.

CWE-226Sensitive Information in Resource Not Removed Before Reuse
CWE-1247Improper Protection Against Voltage and Clock Glitches
CWE-1262Improper Access Control for Register Interface
CWE-1331Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1332Improper Handling of Faults that Lead to Instruction Skips

Limitations of the Methodology

The methodology used to generate the inaugural CWE Most Important Hardware Weaknesses List is limited somewhat in terms of scientific and statistical rigor. In the absence of more relevant data from which to conduct systematic inquiry, the list was compiled using a modified Delphi method leveraging subjective opinions, albeit from informed content knowledge experts.

The software CWE Top-25 leverages CVE® data within the NIST National Vulnerability Database (NVD) for a data-driven approach that considers weakness type frequency and severity. This is not possible in the hardware domain primarily because there are limited associations of HW CWEs with CVEs due to the HW CWE's infancy. Recently, the CVE program has been working to issue CVE records for hardware vulnerabilities. While post-release hardware vulnerabilities are far less frequent than that of software, as more hardware vulnerability data is readily available, the CWE Hardware List methodology will potentially change.

Acknowledgments

The 2021 CWE Hardware team includes (in alphabetical order by last name): John Butterworth, Steve Christey Coley, Kerry Crouse, Christina Johns, Gananand Kini, Chris Lathrop, Luke Malinowski, and Alec Summers.

Also, tremendous thanks go to the HW CWE SIG membership, which includes at the time of publication (in alphabetical order by first name):

Alric Althoff, Tortuga Logic
Andreas Schweiger, Airbus Defense and Space
Arun Kanuparthi, Intel Corporation
Ashish Darbari, Axiomise
Bruce Monroe, Intel Corporation
Charles Timko, Red Hat
Daniel DiMase, Aerocyonics
Domenic Forte, University of Florida
Farbod Foomany, Security Compass
Hareesh Khattri, Intel Corporation
James Pangburn, Cadence Design Systems
Jason Fung, Intel Corporation
Jason Oberg, Tortuga Logic
Jasper van Woudenberg, Riscure
John Bommer, Air Force Institute of Technology
Kathy Herring Hayashi, Qualcomm
Lang Lin, Ansys
Luca Bongiorni, Bentley Systems
Matthew Coles, Dell Technologies
Milind R. Kulkarni, NVIDIA
Mohan Lal, NVIDIA
Narasimha Kumar V Mangipudi, Lattice Semiconductor
Naveen Sanaka, Dell Technologies
Nicole Fern, Riscure
Parbati K Manna, Intel Corporation
Paul Wooderson, MIRA - A Horiba Company
Paul Wortman, Wells Fargo
Sayee Santhosh Ramesh, Intel Corporation
Sohrab Aftabjahani, Intel Corporation
Srinivas Naik, Intel Corporation
Thomas Ford, Dell Technologies

... and many others who chose to remain anonymous.

Page Last Updated: October 27, 2021