CWE-1291: Public Key Re-Use for Signing both Debug and Production Code
The same public key is used for signing both debug and production code.
Last updated
Overview
A common usage of public-key cryptography is to verify the integrity and authenticity of another entity (for example a firmware binary). If a company wants to ensure that its firmware runs only on its own hardware, before the firmware runs, an encrypted hash of the firmware image will be decrypted with the public key and then verified against the now-computed hash of the firmware image. This means that the public key forms the root of trust, which necessitates that the public key itself must be protected and used properly. During the development phase, debug firmware enables many hardware debug hooks, debug modes, and debug messages for testing. Those debug facilities provide significant, additional views about the firmware's capability and, in some cases, additional capability into the chip or SoC. If compromised, these capabilities could be exploited by an attacker to take full control of the system. Once the product exits the manufacturing stage and enters production, it is good practice to use a different public key. Debug firmware images are known to leak. With the debug key being reused as the production key, the debug image will also work on the production image. Thus, it will open all the internal, debug capabilities to the attacker. If a different public key is used for the production image, even if the attacker gains access to the debug firmware image, they will not be able to run it on a production machine. Thus, damage will be limited to the intellectual property leakage resulting from the debug image.
Real-world CVEs
1 recorded CVEs are caused by CWE-1291 (Public Key Re-Use for Signing both Debug and Production Code). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-1291 is exploited.
Read Memory, Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Varies by Context
Affects: Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-Repudiation, Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1291, grouped by where in the lifecycle they apply.
Use different keys for Production and Debug.
How to detect it
Architecture or Design Review
Compare the debug key with the production key to make sure that they are not the same.
Effectiveness: High
Dynamic Analysis with Manual Results Interpretation
Compare the debug key with the production key to make sure that they are not the same.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This example illustrates the danger of using the same public key for debug and production.
Frequently asked questions
Common questions about CWE-1291.
- What is CWE-1291?
- The same public key is used for signing both debug and production code.
- What CVEs are caused by CWE-1291?
- 1 recorded CVEs are attributed to CWE-1291, including CVE-2022-1665.
- How do you prevent CWE-1291?
- Use different keys for Production and Debug.
- How is CWE-1291 detected?
- Architecture or Design Review: Compare the debug key with the production key to make sure that they are not the same.
- What are the consequences of CWE-1291?
- Exploiting CWE-1291 can lead to: Read Memory, Modify Memory, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity, Varies by Context.
- Is CWE-1291 actively exploited?
- 1 recorded CVEs are caused by CWE-1291; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1291) (opens in a new tab)
- CWE-1291 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1291
Get alerted the moment a new CWE-1291 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.