CWE-1191 Base Stable

On-Chip Debug and Test Interface With Improper Access Control

This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify…

Definition

What is CWE-1191?

This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify sensitive internal registers and bypass the chip's built-in security protections.
Chips often include a debug interface, such as JTAG, which creates a serial scan chain to access internal registers for testing and debugging. Since this interface can expose almost all data on the device, manufacturers must implement strong authentication and authorization. If these controls are missing or flawed, attackers can use the exposed interface to circumvent on-chip security measures and extract sensitive information. Sometimes, designers hide debug pins within the board layers to compensate for the lack of proper chip-level authorization. This is a physical security workaround, not a fix. If an attacker physically accesses these hidden pins, the chip's internals become completely exposed. Managing hardware-level vulnerabilities like this across a complex software supply chain is challenging; an ASPM platform like Plexicus can help correlate these underlying hardware risks with your application's security posture, providing a unified view for remediation.
Real-world impact

Real-world CVEs caused by CWE-1191

  • CVE-2019-18827

    chain: JTAG interface is not disabled (CWE-1191) during ROM code execution, introducing a race condition (CWE-362) to extract encryption keys

How attackers exploit it

Step-by-step attacker path

  1. 1

    A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.

  2. 2

    JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product.

  3. 3

    The following example code is a snippet from the JTAG wrapper module in the RISC-V debug module of the HACK@DAC'21 Openpiton SoC [REF-1355]. To make sure that the JTAG is accessed securely, the developers have included a primary authentication mechanism based on a password.

  4. 4

    The developers employed a Finite State Machine (FSM) to implement this authentication. When a user intends to read from or write to the JTAG module, they must input a password.

  5. 5

    In the subsequent state of the FSM module, the entered password undergoes Hash-based Message Authentication Code (HMAC) calculation using an internal HMAC submodule. Once the HMAC for the entered password is computed by the HMAC submodule, the FSM transitions to the next state, where it compares the computed HMAC with the expected HMAC for the password.

Vulnerable code example

Vulnerable Other

A home, WiFi-router device implements a login prompt which prevents an unauthorized user from issuing any commands on the device until appropriate credentials are provided. The credentials are protected on the device and are checked for strength against attack.

Vulnerable Other 
If the JTAG interface on this device is not hidden by the manufacturer, the interface may be identified using tools such as JTAGulator. If it is hidden but not disabled, it can be exposed by physically wiring to the board.


By issuing a "halt" command before the OS starts, the unauthorized user pauses the watchdog timer and prevents the router from restarting (once the watchdog timer would have expired). Having paused the router, an unauthorized user is able to execute code and inspect and modify data in the device, even extracting all of the router's firmware. This allows the user to examine the router and potentially exploit it.
Secure code example

Secure Other

JTAG is useful to chip and device manufacturers during design, testing, and production and is included in nearly every product. Without proper authentication and authorization, the interface may allow tampering with a product.

Secure Other 
In order to prevent exposing the debugging interface, manufacturers might try to obfuscate the JTAG interface or blow device internal fuses to disable the JTAG interface. Adding authentication and authorization to this interface makes use by unauthorized individuals much more difficult.
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-1191

  • Architecture and Design If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.
Detection signals

How to detect CWE-1191

Dynamic Analysis with Manual Results Interpretation

Authentication and authorization of debug and test interfaces should be part of the architecture and design review process. Withholding of private register documentation from the debug and test interface public specification ("Security by obscurity") should not be considered as sufficient security.

Dynamic Analysis with Manual Results Interpretation

Dynamic tests should be done in the pre-silicon and post-silicon stages to verify that the debug and test interfaces are not open by default.

Fuzzing Moderate

Tests that fuzz Debug and Test Interfaces should ensure that no access without appropriate authentication and authorization is possible.

Plexicus auto-fix

Plexicus auto-detects CWE-1191 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-1191?

This vulnerability occurs when a hardware chip's debug or test interface (like JTAG) lacks proper access controls. Without correct authorization checks, unauthorized users can read or modify sensitive internal registers and bypass the chip's built-in security protections.

How serious is CWE-1191?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-1191?

MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific.

How can I prevent CWE-1191?

If feasible, the manufacturer should disable the JTAG interface or implement authentication and authorization for the JTAG interface. If authentication logic is added, it should be resistant to timing attacks. Security-sensitive data stored in registers, such as keys, etc. should be cleared when entering debug mode.

How does Plexicus detect and fix CWE-1191?

Plexicus's SAST engine matches the data-flow signature for CWE-1191 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-1191?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/1191.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-1191

CWE-284 Parent

Improper Access Control

The software fails to properly limit who can access a resource, allowing unauthorized users or systems to interact with it.

CWE-1220 Sibling

Insufficient Granularity of Access Control

This vulnerability occurs when a system's access controls are too broad, allowing unauthorized users or processes to read or modify…

CWE-1224 Sibling

Improper Restriction of Write-Once Bit Fields

This vulnerability occurs when hardware write-once protection mechanisms, often called 'sticky bits,' are incorrectly implemented,…

CWE-1231 Sibling

Improper Prevention of Lock Bit Modification

This vulnerability occurs when hardware or firmware uses a lock bit to protect critical system registers or memory regions, but fails to…

CWE-1233 Sibling

Security-Sensitive Hardware Controls with Missing Lock Bit Protection

This vulnerability occurs when a hardware device uses a lock bit to protect critical configuration registers, but the lock fails to…

CWE-1252 Sibling

CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

This vulnerability occurs when a CPU's hardware is not set up to enforce a strict separation between writing data to memory and executing…

CWE-1257 Sibling

Improper Access Control Applied to Mirrored or Aliased Memory Regions

This vulnerability occurs when a hardware design maps the same physical memory to multiple addresses (aliasing or mirroring) but fails to…

CWE-1259 Sibling

Improper Restriction of Security Token Assignment

This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly secure its Security Token mechanism. These tokens control which…

CWE-1260 Sibling

Improper Handling of Overlap Between Protected Memory Ranges

This vulnerability occurs when a system incorrectly allows different memory protection ranges to overlap. This flaw can let attackers…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.