{"@ID": "1254", "@Name": "Incorrect Comparison Logic Granularity", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "Description": "The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.", "Extended_Description": {"xhtml:p": "Comparison logic is used to compare a variety of objects including passwords, Message \n         Authentication Codes (MACs), and responses to verification challenges. When comparison logic is \n         implemented at a finer granularity (e.g., byte-by-byte comparison) and breaks in the case of a \n         comparison failure, an attacker can exploit this implementation to identify when exactly \n         the failure occurred. With multiple attempts, the attacker may be able to guesses the correct \n         password/response to challenge and elevate their privileges."}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "208", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "697", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Authorization"], "Impact": "Bypass Protection Mechanism"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": {"xhtml:p": "The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks."}}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2019-10482", "Description": "Smartphone OS uses comparison functions that are not in constant time, allowing side channels", "Link": "https://www.cve.org/CVERecord?id=CVE-2019-10482"}, {"Reference": "CVE-2019-10071", "Description": "Java-oriented framework compares HMAC signatures  using  String.equals() instead of a constant-time algorithm, causing timing discrepancies", "Link": "https://www.cve.org/CVERecord?id=CVE-2019-10071"}, {"Reference": "CVE-2014-0984", "Description": "Password-checking function in router terminates validation of a password entry when it encounters the first incorrect character, which allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, aka a timing side-channel attack.", "Link": "https://www.cve.org/CVERecord?id=CVE-2014-0984"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": {"@CAPEC_ID": "26"}}, "References": {"Reference": {"@External_Reference_ID": "REF-1079"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "CWE 4.16 removed a demonstrative example for a hardware module because it was inaccurate and unable to be adapted. The CWE team is developing an alternative."}}, "Content_History": {"Submission": {"Submission_Name": "Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi", "Submission_Organization": "Intel Corporation", "Submission_Date": "2020-02-12", "Submission_Version": "4.1", "Submission_ReleaseDate": "2020-02-24"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-11-19", "Modification_Version": "4.16", "Modification_ReleaseDate": "2024-11-19", "Modification_Comment": "updated Demonstrative_Examples, Maintenance_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Contribution": {"@Type": "Feedback", "Contribution_Name": "Anders Nordstrom", "Contribution_Organization": "Cycuity Inc.", "Contribution_Date": "2024-01-09", "Contribution_Comment": "reported problems with the Verilog demonstrative example, leading to its removal from this entry"}}}
