CWE-1271: Uninitialized Value on Reset for Registers Holding Security Settings
Security-critical logic is not set to a known value on reset.
Last updated
Overview
When the device is first brought out of reset, the state of registers will be indeterminate if they have not been initialized by the logic. Before the registers are initialized, there will be a window during which the device is in an insecure state and may be vulnerable to attack.
Common consequences
What can happen when CWE-1271 is exploited.
Varies by Context
Affects: Access Control, Authentication, Authorization
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1271, grouped by where in the lifecycle they apply.
Design checks should be performed to identify any uninitialized flip-flops used for security-critical functions.