目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-1300 类漏洞列表 13

CWE-1300 类弱点 13 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1300指设备缺乏对物理侧信道攻击的有效防护。攻击者通过监测功耗、电磁辐射或声学发射等可观察现象,分析数据模式以推断敏感信息。开发者应实施屏蔽、噪声注入或恒定时间算法等机制,消除物理特征与数据间的关联,从而防止侧信道泄露,确保硬件层面的信息安全。

MITRE CWE 官方描述
CWE:CWE-1300 物理侧信道保护不当 该设备缺乏足够的保护机制,无法防止物理侧信道因可物理观测现象(如功耗变化、电磁辐射(EME)或声学辐射)中的模式而暴露敏感信息。 对手可以监测和测量物理现象以检测模式并进行推断,即使无法在数字域中提取信息也是如此。在破解密码算法实现或针对安全功能的其他攻击背景下,物理侧信道已被研究数十年。这些侧信道可能被具有设备物理访问权限的对手轻松观测,或使用靠近设备的工具进行观测。如果对手能够监测硬件操作并将其数据处理与功耗、EME 和声学测量数据进行关联,对手可能能够恢复密钥和数据。
常见影响 (1)
ConfidentialityRead Memory, Read Application Data
缓解措施 (2)
Architecture and DesignApply blinding or masking techniques to implementations of cryptographic algorithms.
ImplementationAdd shielding or tamper-resistant protections to the device to increase the difficulty of obtaining measurements of the side-channel.
代码示例 (2)
Consider a device that checks a passcode to unlock the screen.
As each character of
		    the PIN number is entered, a correct character
		    exhibits one current pulse shape while an
		    incorrect character exhibits a different current
		    pulse shape.
Bad · Other
Rather than comparing
		    each character to the correct PIN value as it is
		    entered, the device could accumulate the PIN in a
		    register, and do the comparison all at once at the
		    end. Alternatively, the components for the
		    comparison could be modified so that the current
		    pulse shape is the same regardless of the
		    correctness of the entered
		    character.
Good · Other
Consider the device vulnerability CVE-2021-3011, which affects certain microcontrollers [REF-1221]. The Google Titan Security Key is used for two-factor authentication using cryptographic algorithms. The device uses an internal secret key for this purpose and exchanges information based on this key for the authentication. If this internal secret key and the encryption algorithm were known to an ad…
The local method of extracting the secret key consists of plugging the key into a USB port and using electromagnetic (EM) sniffing tools and computers.
Bad · Other
Several solutions could have been considered by the manufacturer. For example, the manufacturer could shield the circuitry in the key or add randomized delays, indirect calculations with random values involved, or randomly ordered calculations to make extraction much more difficult. The manufacturer could use a combination of these techniques.
Good · Other
CVE ID标题CVSS风险等级Published
CVE-2026-11289 Google Chrome 安全漏洞 — Chrome--2026-06-04
CVE-2026-11284 Google Chrome 安全漏洞 — Chrome--2026-06-04
CVE-2026-11153 Google Chrome 安全漏洞 — Chrome--2026-06-04
CVE-2026-8562 Google Chrome 安全漏洞 — Chrome--2026-05-14
CVE-2026-6923 Nuvoton NPCT7xx 安全漏洞 — NPCT7xx 3.8 Low2026-05-14
CVE-2026-8017 Google Chrome 安全漏洞 — Chrome 6.5 -2026-05-06
CVE-2026-5876 Google Chrome 安全漏洞 — Chrome 6.5AIMediumAI2026-04-08
CVE-2026-3929 Google Chrome 安全漏洞 — Chrome 6.5AIMediumAI2026-03-11
CVE-2025-13992 Google Chrome 安全漏洞 — Chrome 6.5AIMediumAI2025-12-03
CVE-2025-11210 Google Chrome 安全漏洞 — Chrome 4.3AIMediumAI2025-11-06
CVE-2025-11207 Google Chrome 安全漏洞 — Chrome 8.1AIHighAI2025-11-06
CVE-2025-10890 Google Chrome 安全漏洞 — Chrome 6.5AIMediumAI2025-09-24
CVE-2023-6258 pkcs11-provider 安全漏洞 — pkcs11-provider 8.1 High2024-01-30

CWE-1300 是常见的弱点类别,本平台收录该类弱点关联的 13 条 CVE 漏洞。