目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-1270 类漏洞列表 3

CWE-1270 类弱点 3 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1270 指安全令牌生成错误漏洞,属于身份验证与授权缺陷。攻击者利用生成的错误令牌,伪装成合法实体执行未授权操作或绕过访问控制,从而窃取数据或破坏系统完整性。开发者应避免此问题,需确保令牌生成算法具备足够的随机性与不可预测性,严格遵循安全标准,并定期审查令牌管理逻辑,防止因实现缺陷导致令牌被伪造或重用。

MITRE CWE 官方描述
CWE:CWE-1270 生成不正确的安全令牌(Security Tokens) 英文:产品实现了安全令牌(Security Token)机制,以区分当交易源自某一实体时允许或禁止的操作。然而,系统中生成的安全令牌(Security Tokens)不正确。 片上系统(Systems-On-a-Chip, SoC)(集成电路和硬件引擎)实现安全令牌(Security Tokens)以区分和识别源自各种代理(agents)的操作。这些操作可以是“读取”(read)、“写入”(write)、“编程”(program)、“重置”(reset)、“取指”(fetch)、“计算”(compute)等。安全令牌(Security Tokens)被生成并分配给 SoC 上能够生成操作或从其他代理接收操作的每个代理(agent)。每个代理(agent)可根据其信任级别或特权被分配一个唯一的安全令牌(Security Token)。
常见影响 (1)
Confidentiality, Integrity, Availability, Access ControlModify Files or Directories, Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Gain Privileges or Assume Identity, Read Memory, Modify Memory, DoS: Crash, Exit, or Restart
Incorrectly generated Security Tokens could result in the same token used for multiple agents or multiple tokens being used for the same agent. This condition could result in a Denial-of-Service (DoS) or the execution of an action that in turn could result in privilege escalation or unintended acces…
缓解措施 (1)
Architecture and Design, ImplementationGeneration of Security Tokens should be reviewed for design inconsistency and common weaknesses. Security-Token definition and programming flow should be tested in pre-silicon and post-silicon testing.
代码示例 (1)
Consider a system with a register for storing an AES key for encryption or decryption. The key is 128 bits long implemented as a set of four 32-bit registers. The key registers are assets, and register, AES_KEY_ACCESS_POLICY, is defined to provide necessary access controls. The access-policy register defines which agents, using a Security Token, may access the AES-key registers. Each bit in this 3…
The SoC incorrectly generates Security Token "1" for every agent. In other words, both Main-controller and Aux-controller are assigned Security Token "1".
Bad · Other
The SoC should correctly generate Security Tokens, assigning "1" to the Main-controller and "2" to the Aux-controller
Good · Other
CVE ID标题CVSS风险等级Published
CVE-2023-32188 NeuVector 安全漏洞 — neuvector 9.8AICriticalAI2024-10-16
CVE-2023-22644 SUSE Manager 日志信息泄露漏洞 — neuvector 7.5 -2023-09-20
CVE-2023-2882 CBOT Chatbot 安全漏洞 — Chatbot 9.8 Critical2023-05-25

CWE-1270 是常见的弱点类别,本平台收录该类弱点关联的 3 条 CVE 漏洞。