CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE-1191: On-Chip Debug and Test Interface With Improper Access Control (4.20)  
ID
  • Home
  • Who We Are User Stories History Documents Videos
  • Basics
    Root Cause Mapping   ►
    Guidance Quick Tips Examples
    How to Contribute Weakness Content FAQs Glossary
  • Top-N Lists   ►
    Top 25 Software Top Hardware Top 10 KEV Weaknesses
    CWE List   ►
    Current Version Reports Visualizations Releases Archive
    Downloads REST API
  • News   ►
    Current News Blog Podcast News Archive
    CWE Board Working Groups & Special Interest Groups Email Lists
    • Search CWE List Search Website

    CWE-1191: On-Chip Debug and Test Interface With Improper Access Control

    Weakness ID: 1191
    Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
    Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.
    View customized information:
    For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.
    ×

    Edit Custom Filter


    + Description
    The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
    + Extended Description

    A device's internal information may be accessed through a scan chain of interconnected internal registers, usually through a JTAG interface. The JTAG interface provides access to these registers in a serial fashion in the form of a scan chain for the purposes of debugging programs running on a device. Since almost all information contained within a device may be accessed over this interface, device manufacturers typically insert some form of authentication and authorization to prevent unintended use of this sensitive information. This mechanism is implemented in addition to on-chip protections that are already present.

    If authorization, authentication, or some other form of access control is not implemented or not implemented correctly, a user may be able to bypass on-chip protection mechanisms through the debug interface.

    Sometimes, designers choose not to expose the debug pins on the motherboard. Instead, they choose to hide these pins in the intermediate layers of the board. This is primarily done to work around the lack of debug authorization inside the chip. In such a scenario (without debug authorization), when the debug interface is exposed, chip internals are accessible to an attacker.

    + Common Consequences
    Section HelpThis table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
    Impact Details

    Read Application Data

    		Scope: Confidentiality

    Likelihood: High

    Read Memory

    		Scope: Confidentiality

    Likelihood: High

    Execute Unauthorized Code or Commands

    		Scope: Authorization

    Likelihood: High

    Modify Memory

    		Scope: Integrity

    Likelihood: High

    Modify Application Data

    		Scope: Integrity

    Likelihood: High

    Bypass Protection Mechanism

    		Scope: Access Control

    Likelihood: High
    + Potential Mitigations
    Phase(s) Mitigation

    Architecture and Design

    Strategy: Separation of Privilege

    If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.

    Effectiveness: High
    + Relationships
    Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
    + Relevant to the view "Research Concepts" (View-1000)
    Nature Type ID Name
    ChildOf Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. 284 Improper Access Control
    PeerOf Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 1263 Improper Physical Access Control
    + Relevant to the view "Hardware Design" (View-1194)
    Nature Type ID Name
    MemberOf Category Category - a CWE entry that contains a set of other entries that share a common characteristic. 1207 Debug and Test Problems
    PeerOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 1299 Missing Protection Mechanism for Alternate Hardware Interface
    + Modes Of Introduction
    Section HelpThe different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
    Phase Note
    Architecture and Design
    Implementation
    + Applicable Platforms
    Section HelpThis listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
    + Demonstrative Examples

    Example 1


    A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.

    (bad code)
    Example Language: Other 

    If the JTAG interface on this device is not hidden by the manufacturer, the interface may be identified using tools such as JTAGulator. If it is hidden but not disabled, it can be exposed by physically wiring to the board.

    By issuing a "halt" command before the OS starts, the unauthorized user pauses the watchdog timer and prevents the router from restarting (once the watchdog timer would have expired). Having paused the router, an unauthorized user is able to execute code and inspect and modify data in the device, even extracting all of the router's firmware. This allows the user to examine the router and potentially exploit it.

    JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product.

    (good code)
    Example Language: Other 
    In order to prevent exposing the debugging interface, manufacturers might try to obfuscate the JTAG interface or blow device internal fuses to disable the JTAG interface. Adding authentication and authorization to this interface makes use by unauthorized individuals much more difficult.


    Example 2


    The following example code is a snippet from the JTAG wrapper module in the RISC-V debug module of the HACK@DAC'21 Openpiton SoC [REF-1355]. To make sure that the JTAG is accessed securely, the developers have included a primary authentication mechanism based on a password.

    The developers employed a Finite State Machine (FSM) to implement this authentication. When a user intends to read from or write to the JTAG module, they must input a password.

    In the subsequent state of the FSM module, the entered password undergoes Hash-based Message Authentication Code (HMAC) calculation using an internal HMAC submodule. Once the HMAC for the entered password is computed by the HMAC submodule, the FSM transitions to the next state, where it compares the computed HMAC with the expected HMAC for the password.

    If the computed HMAC matches the expected HMAC, the FSM grants the user permission to perform read or write operations on the JTAG module. [REF-1352]

    (bad code)
    Example Language: Verilog 
    ...
    PassChkValid: begin
    if(hashValid) begin
    if(exp_hash == pass_hash) begin
    pass_check = 1'b1;
    end else begin
    pass_check = 1'b0;
    end
    state_d = Idle;
    end else begin
    state_d = PassChkValid;
    end
    end
    ...

    However, in the given vulnerable part of the code, the JTAG module has not defined a limitation for several continuous wrong password attempts. This omission poses a significant security risk, allowing attackers to carry out brute-force attacks without restrictions.

    Without a limitation on wrong password attempts, an attacker can repeatedly guess different passwords until they gain unauthorized access to the JTAG module. This leads to various malicious activities, such as unauthorized read from or write to debug module interface.

    To mitigate the mentioned vulnerability, developers need to implement a restriction on the number of consecutive incorrect password attempts allowed by the JTAG module, which can achieve by incorporating a mechanism that temporarily locks the module after a certain number of failed attempts.[REF-1353][REF-1354]

    (good code)
    Example Language: Verilog 
    ...
    case (state_q)
    Idle: begin
    ...
    else if ( (dm::dtm_op_e'(dmi.op) == dm::DTM_PASS) && (miss_pass_check_cnt_q != 2'b11) )
    begin
    state_d = Write;
    pass_mode = 1'b1;
    end
    ...
    end
    ...
    PassChkValid: begin
    if(hashValid) begin
    if(exp_hash == pass_hash) begin
    pass_check = 1'b1;
    end else begin
    pass_check = 1'b0;
    miss_pass_check_cnt_d = miss_pass_check_cnt_q + 1
    end
    state_d = Idle;
    end else begin
    state_d = PassChkValid;
    end
    end
    ...


    Example 3


    The example code below is taken from the JTAG access control mechanism of the HACK@DAC'21 buggy OpenPiton SoC [REF-1364]. Access to JTAG allows users to access sensitive information in the system. Hence, access to JTAG is controlled using cryptographic authentication of the users. In this example (see the vulnerable code source), the password checker uses HMAC-SHA256 for authentication. It takes a 512-bit secret message from the user, hashes it using HMAC, and compares its output with the expected output to determine the authenticity of the user.

    (bad code)
    Example Language: Verilog 
    ...
    logic [31-1:0] data_d, data_q;
    ...
    logic [512-1:0] pass_data;
    ...
    Write: begin
    ...
    if (pass_mode) begin
    pass_data = { {60{8'h00}}, data_d};
    state_d = PassChk;
    pass_mode = 1'b0;
    ...
    end
    ...

    The vulnerable code shows an incorrect implementation of the HMAC authentication where it only uses the least significant 32 bits of the secret message for the authentication (the remaining 480 bits are hard coded as zeros). As a result, the system is susceptible to brute-force attacks on the access control mechanism of JTAG, where the attacker only needs to determine 32 bits of the secret message instead of 512 bits.

    To mitigate this issue, remove the zero padding and use all 512 bits of the secret message for HMAC authentication [REF-1365].

    (good code)
    Example Language: Verilog 
    ...
    logic [512-1:0] data_d, data_q;
    ...
    logic [512-1:0] pass_data;
    ...
    Write: begin
    ...
    if (pass_mode) begin
    pass_data = data_d;
    state_d = PassChk;
    pass_mode = 1'b0;
    ...
    end
    ...


    + Selected Observed Examples

    Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

    Languages

    Class: Not Language-Specific (Undetermined Prevalence)

    Operating Systems

    Class: Not OS-Specific (Undetermined Prevalence)

    Architectures

    Class: Not Architecture-Specific (Undetermined Prevalence)

    Technologies

    Class: Not Technology-Specific (Undetermined Prevalence)

    Reference Description
    CVE-2019-18827
    chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys
    + Weakness Ordinalities
    Ordinality Description
    Primary
    (where the weakness exists independent of other weaknesses)
    + Detection Methods
    Method Details

    Dynamic Analysis with Manual Results Interpretation

    Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification ("Security by obscurity") should not be considered as sufficient security.

    Dynamic Analysis with Manual Results Interpretation

    Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.

    Fuzzing
    Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.

    Effectiveness: Moderate
    + Memberships
    Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
    Nature Type ID Name
    MemberOf ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). 1343 Weaknesses in the 2021 CWE Most Important Hardware Weaknesses List
    MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1396 Comprehensive Categorization: Access Control
    MemberOf ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). 1432 Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List
    + Vulnerability Mapping Notes
    Usage ALLOWED
    (this CWE ID may be used to map to real-world vulnerabilities)
    Reason Acceptable-Use

    Rationale

    		This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

    Comments

    		Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
    + Notes

    Relationship

    CWE-1191 and CWE-1244 both involve physical debug access, but the weaknesses are different. CWE-1191 is effectively about missing authorization for a debug interface, i.e. JTAG. CWE-1244 is about providing internal assets with the wrong debug access level, exposing the asset to untrusted debug agents.
    + References
    [REF-1037] Kurt Rosenfeld and Ramesh Karri. "Attacks and Defenses for JTAG". 2010-02.
    <https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5406671>.
    [REF-1043] Gopal Vishwakarma and Wonjun Lee. "Exploiting JTAG and Its Mitigation in IOT: A Survey". 2018-12-03.
    <https://www.mdpi.com/1999-5903/10/12/121/pdf>. (URL validated: 2023-04-07)
    [REF-1084] Gopal Vishwakarma and Wonjun Lee. "JTAG Explained (finally!): Why "IoT", Software Security Engineers, and Manufacturers Should Care".
    <https://www.mdpi.com/1999-5903/10/12/121/pdf>. (URL validated: 2023-04-07)
    [REF-1085] Bob Molyneaux, Mark McDermott and Anil Sabbavarapu. "Design for Testability & Design for Debug".
    <https://web.archive.org/web/20180412225956/http://users.ece.utexas.edu/~mcdermot/vlsi-2/Lecture_17.pdf>. (URL validated: 2025-08-04)
    [REF-1355] Florian Zaruba. "dmi_jtag.sv". 2021.
    <https://github.com/HACK-EVENT/hackatdac21/blob/71103971e8204de6a61afc17d3653292517d32bf/piton/design/chip/tile/ariane/src/riscv-dbg/src/dmi_jtag.sv#L192:L204>. (URL validated: 2023-09-18)
    [REF-1354] Florian Zaruba. "Fix CWE-1191 in dmi_jtag.sv". 2021.
    <https://github.com/HACK-EVENT/hackatdac21/blob/58f984d492fdb0369c82ef10fcbbaa4b9850f9fb/piton/design/chip/tile/ariane/src/riscv-dbg/src/dmi_jtag.sv#L200>. (URL validated: 2023-09-18)
    [REF-1353] Florian Zaruba. "Fix CWE-1191 in dmi_jtag.sv". 2021.
    <https://github.com/HACK-EVENT/hackatdac21/blob/58f984d492fdb0369c82ef10fcbbaa4b9850f9fb/piton/design/chip/tile/ariane/src/riscv-dbg/src/dmi_jtag.sv#L131>. (URL validated: 2023-09-18)
    [REF-1352] Florian Zaruba. "dmi_jtag.sv". 2021.
    <https://github.com/HACK-EVENT/hackatdac21/blob/71103971e8204de6a61afc17d3653292517d32bf/piton/design/chip/tile/ariane/src/riscv-dbg/src/dmi_jtag.sv#L118:L204>. (URL validated: 2023-09-18)
    [REF-1364] "dmi_jtag.sv". 2021.
    <https://github.com/HACK-EVENT/hackatdac21/blob/71103971e8204de6a61afc17d3653292517d32bf/piton/design/chip/tile/ariane/src/riscv-dbg/src/dmi_jtag.sv#L82>. (URL validated: 2023-07-15)
    [REF-1365] "fix cwe_1205 in dmi_jtag.sv". 2021.
    <https://github.com/HACK-EVENT/hackatdac21/blob/c4f4b832218b50c406dbf9f425d3b654117c1355/piton/design/chip/tile/ariane/src/riscv-dbg/src/dmi_jtag.sv#L158>. (URL validated: 2023-07-22)
    + Content History
    + Submissions
    Submission Date Submitter Organization
    2019-10-15
    (CWE 4.0, 2020-02-24)     		Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi Intel Corporation
    + Contributions
    Contribution Date Contributor Organization
    2023-06-21 Shaza Zeitouni, Mohamadreza Rostami, Pouya Mahmoody, Ahmad-Reza Sadeghi Technical University of Darmstadt
    suggested demonstrative example
    2023-06-21 Rahul Kande, Chen Chen, Jeyavijayan Rajendran Texas A&M University
    suggested demonstrative example
    2021-10-27 Arun Kanuparthi Intel Corporation
    suggested additional detail in extended description
    2021-10-22 Hareesh Khattri Intel Corporation
    clarified differences between CWE-1191 and CWE-1244
    2021-10-20 Narasimha Kumar V Mangipudi Lattice Semiconductor
    reviewed content changes
    2021-10-18 Parbati K. Manna Intel Corporation
    provided detection methods
    + Modifications
    Modification Date Modifier Organization
    2025-09-09
    (CWE 4.18, 2025-09-09)     		CWE Content Team MITRE
    updated References, Relationships
    2023-10-26
    (CWE 4.13, 2023-10-26)     		CWE Content Team MITRE
    updated Demonstrative_Examples, References
    2023-06-29
    (CWE 4.12, 2023-06-29)     		CWE Content Team MITRE
    updated Mapping_Notes
    2023-04-27
    (CWE 4.11, 2023-04-27)     		CWE Content Team MITRE
    updated References, Relationships
    2022-10-13
    (CWE 4.9, 2022-10-13)     		CWE Content Team MITRE
    updated Description, Related_Attack_Patterns
    2022-04-28
    (CWE 4.7, 2022-04-28)     		CWE Content Team MITRE
    updated Related_Attack_Patterns
    2021-10-28
    (CWE 4.6, 2021-10-28)     		CWE Content Team MITRE
    updated Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, Relationship_Notes, Relationships, Weakness_Ordinalities
    2021-03-15
    (CWE 4.4, 2021-03-15)     		CWE Content Team MITRE
    updated Maintenance_Notes
    2020-08-20
    (CWE 4.2, 2020-08-20)     		CWE Content Team MITRE
    updated Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
    2020-06-25
    (CWE 4.1, 2020-06-25)     		CWE Content Team MITRE
    updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, References, Relationships
    + Previous Entry Names
    Change Date Previous Entry Name
    2021-10-28 Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
    2020-08-20 Exposed Chip Debug and or Test Interface With Insufficient Access Control
    2020-02-26 Exposed Chip Debug Interface With Insufficient Access Control
    Page Last Updated: April 30, 2026
     

    Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.