CWE-1298
Hardware Logic Contains Race Conditions
A race condition in the hardware logic results in undermining security guarantees of the system.
CVE-2023-45733 (GCVE-0-2023-45733)
Vulnerability from cvelistv5
Published
2024-05-16 20:47
Modified
2024-08-02 20:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- information disclosure
- CWE-1298 - Hardware logic contains race conditions
Summary
Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | Intel(R) Processors |
Version: See references |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2023-45733", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-24T16:02:23.588461Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T17:20:04.956Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T20:29:32.455Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html", "tags": [ "x_transferred" ], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Intel(R) Processors", "vendor": "n/a", "versions": [ { "status": "affected", "version": "See references" } ] } ], "descriptions": [ { "lang": "en", "value": "Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "description": "information disclosure", "lang": "en" }, { "cweId": "CWE-1298", "description": "Hardware logic contains race conditions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-16T20:47:09.057Z", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel" }, "references": [ { "name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html" } ] } }, "cveMetadata": { "assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2023-45733", "datePublished": "2024-05-16T20:47:09.057Z", "dateReserved": "2023-11-18T04:00:12.368Z", "dateUpdated": "2024-08-02T20:29:32.455Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Mitigation
Phase: Architecture and Design
Description:
- Adopting design practices that encourage designers to recognize and eliminate race conditions, such as Karnaugh maps, could result in the decrease in occurrences of race conditions.
Mitigation
Phase: Implementation
Description:
- Logic redundancy can be implemented along security critical paths to prevent race conditions. To avoid metastability, it is a good practice in general to default to a secure state in which access is not given to untrusted agents.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.