A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present.
If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface.
Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker.
| Impact | Details |
|---|---|
|
Read Application Data |
Scope: Confidentiality Likelihood: High |
|
Read Memory |
Scope: Confidentiality Likelihood: High |
|
Execute Unauthorized Code or Commands |
Scope: Authorization Likelihood: High |
|
Modify Memory |
Scope: Integrity Likelihood: High |
|
Modify Application Data |
Scope: Integrity Likelihood: High |
|
Bypass Protection Mechanism |
Scope: Access Control Likelihood: High |
| Phase(s) | Mitigation |
|---|---|
|
Architecture and Design |
Strategy: Separation of Privilege
If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.
Effectiveness: High |
| Nature | Type | ID | Name |
|---|---|---|---|
| ChildOf | Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 284 | Improper Access Control |
| PeerOf | Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 1263 | Improper Physical Access Control |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | Category Category - a CWE entry that contains a set of other entries that share a common characteristic. | 1207 | Debug and Test Problems |
| PeerOf | Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1299 | Missing Protection Mechanism for Alternate Hardware Interface |
| Phase | Note |
|---|---|
| Architecture and Design | |
| Implementation |
Class: Not Language-Specific (Undetermined Prevalence)
Class: Not OS-Specific (Undetermined Prevalence)
Class: Not Architecture-Specific (Undetermined Prevalence)
Class: Not Technology-Specific (Undetermined Prevalence)
Example 1
A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.
If the JTAG interface on this device is not hidden by the manufacturer, the interface may be identified using tools such as JTAGulator. If it is hidden but not disabled, it can be exposed by physically wiring to the board.
By issuing a "halt" command before the OS starts, the unauthorized user pauses the watchdog timer and prevents the router from restarting (once the watchdog timer would have expired). Having paused the router, an unauthorized user is able to execute code and inspect and modify data in the device, even extracting all of the router's firmware. This allows the user to examine the router and potentially exploit it.
JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product.
Example 2
The following example code is a snippet from the JTAG wrapper module in the RISC-V debug module of the HACK@DAC'21 Openpiton SoC [REF-1355]. To make sure that the JTAG is accessed securely, the developers have included a primary authentication mechanism based on a password.
The developers employed a Finite State Machine (FSM) to implement this authentication. When a user intends to read from or write to the JTAG module, they must input a password.
In the subsequent state of the FSM module, the entered password undergoes Hash-based Message Authentication Code (HMAC) calculation using an internal HMAC submodule. Once the HMAC for the entered password is computed by the HMAC submodule, the FSM transitions to the next state, where it compares the computed HMAC with the expected HMAC for the password.
If the computed HMAC matches the expected HMAC, the FSM grants the user permission to perform read or write operations on the JTAG module. [REF-1352]
However, in the given vulnerable part of the code, the JTAG module has not defined a limitation for several continuous wrong password attempts. This omission poses a significant security risk, allowing attackers to carry out brute-force attacks without restrictions.
Without a limitation on wrong password attempts, an attacker can repeatedly guess different passwords until they gain unauthorized access to the JTAG module. This leads to various malicious activities, such as unauthorized read from or write to debug module interface.
To mitigate the mentioned vulnerability, developers need to implement a restriction on the number of consecutive incorrect password attempts allowed by the JTAG module, which can achieve by incorporating a mechanism that temporarily locks the module after a certain number of failed attempts.[REF-1353][REF-1354]
Example 3
The example code below is taken from the JTAG access control mechanism of the HACK@DAC'21 buggy OpenPiton SoC [REF-1364]. Access to JTAG allows users to access sensitive information in the system. Hence, access to JTAG is controlled using cryptographic authentication of the users. In this example (see the vulnerable code source), the password checker uses HMAC-SHA256 for authentication. It takes a 512-bit secret message from the user, hashes it using HMAC, and compares its output with the expected output to determine the authenticity of the user.
The vulnerable code shows an incorrect implementation of the HMAC authentication where it only uses the least significant 32 bits of the secret message for the authentication (the remaining 480 bits are hard coded as zeros). As a result, the system is susceptible to brute-force attacks on the access control mechanism of JTAG, where the attacker only needs to determine 32 bits of the secret message instead of 512 bits.
To mitigate this issue, remove the zero padding and use all 512 bits of the secret message for HMAC authentication [REF-1365].
Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.
| Reference | Description |
|---|---|
| Ordinality | Description |
|---|---|
|
Primary
|
(where the weakness exists independent of other weaknesses)
|
| Method | Details |
|---|---|
|
Dynamic Analysis with Manual Results Interpretation |
Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification ("Security by obscurity") should not be considered as sufficient security. |
|
Dynamic Analysis with Manual Results Interpretation |
Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default. |
|
Fuzzing |
Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.
Effectiveness: Moderate |
| Nature | Type | ID | Name |
|---|---|---|---|
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1343 | Weaknesses in the 2021 CWE Most Important Hardware Weaknesses List |
| MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1396 | Comprehensive Categorization: Access Control |
| MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 1432 | Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List |
Rationale
This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comments
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.Relationship
| Submissions | |||
|---|---|---|---|
| Submission Date | Submitter | Organization | |
|
2019年10月15日
(CWE 4.0, 2020年02月24日) |
Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi | Intel Corporation | |
| Contributions | |||
| Contribution Date | Contributor | Organization | |
| 2021年10月18日 | Parbati K. Manna | Intel Corporation | |
| provided detection methods | |||
| 2021年10月20日 | Narasimha Kumar V Mangipudi | Lattice Semiconductor | |
| reviewed content changes | |||
| 2021年10月22日 | Hareesh Khattri | Intel Corporation | |
| clarified differences between CWE-1191 and CWE-1244 | |||
| 2021年10月27日 | Arun Kanuparthi | Intel Corporation | |
| suggested additional detail in extended description | |||
| 2023年06月21日 | Shaza Zeitouni, Mohamadreza Rostami, Pouya Mahmoody, Ahmad-Reza Sadeghi | Technical University of Darmstadt | |
| suggested demonstrative example | |||
| 2023年06月21日 | Rahul Kande, Chen Chen, Jeyavijayan Rajendran | Texas A&M University | |
| suggested demonstrative example | |||
| Modifications | |||
| Modification Date | Modifier | Organization | |
|
2025年09月09日
(CWE 4.18, 2025年09月09日) |
CWE Content Team | MITRE | |
| updated References, Relationships | |||
| 2023年10月26日 | CWE Content Team | MITRE | |
| updated Demonstrative_Examples, References | |||
| 2023年06月29日 | CWE Content Team | MITRE | |
| updated Mapping_Notes | |||
| 2023年04月27日 | CWE Content Team | MITRE | |
| updated References, Relationships | |||
| 2022年10月13日 | CWE Content Team | MITRE | |
| updated Description, Related_Attack_Patterns | |||
| 2022年04月28日 | CWE Content Team | MITRE | |
| updated Related_Attack_Patterns | |||
| 2021年10月28日 | CWE Content Team | MITRE | |
| updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities | |||
| 2021年03月15日 | CWE Content Team | MITRE | |
| updated Maintenance_Notes | |||
| 2020年08月20日 | CWE Content Team | MITRE | |
| updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships | |||
| 2020年06月25日 | CWE Content Team | MITRE | |
| updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, References, Relationships | |||
| Previous Entry Names | |||
| Change Date | Previous Entry Name | ||
| 2020年02月26日 | Exposed Chip Debug Interface With Insufficient Access Control | ||
| 2020年08月20日 | Exposed Chip Debug and or Test Interface With Insufficient Access Control | ||
| 2021年10月28日 | Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization | ||
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.