New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VRT Addition - Hardware and Physical Security #410
Conversation
new-update
@TimmyBugcrowd It seems
|
} | ||
}, | ||
{ | ||
"id": "weakness_in_firmware_updates", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TimmyBugcrowd taxonomy mentioned in the PR descriptio doesn't match with the JSON.
I can see that 'Command Injection' is added as a subcategory but under it there are no children, instead all expected children are added separately under "Insecure OS/Firmware" itself.
Is this expected ?
Here are the line items that I was able to observe
Insecure OS/Firmware - Command Injection - Weakness in Firmware Updates - Firmware cannot be updated - VARIES
Insecure OS/Firmware - Command Injection - Weakness in Firmware Updates - Firmware does not validate update integrity- P3
Insecure OS/Firmware - Command Injection - Weakness in Firmware Updates - Firmware is not encrypted- P5
Insecure OS/Firmware - Command Injection - Kiosk Escape or Breakout - VARIES
Insecure OS/Firmware - Command Injection - Poorly Configured Disk Encryption - VARIES
Insecure OS/Firmware - Command Injection - Shared Credentials on Storage - P3
Insecure OS/Firmware - Command Injection - Over-Permissioned Credentials on Storage - P2
Insecure OS/Firmware - Command Injection - Local Administrator on default environment - P2
Insecure OS/Firmware - Command Injection - Poorly Configured Operating System Security - VARIES
Insecure OS/Firmware - Command Injection - Recovery of Disk Contains Sensitive Material - VARIES
Insecure OS/Firmware - Command Injection - Failure to Remove Sensitive Artifacts from Disk - VARIES
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is expected. I just corrected the description above. Nice catch and thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving on behalf of confirming parties here
Adding:
Physical Security Issues - Bypass of physical access control - VARIES
Physical Security Issues - Weakness in physical access control - Clonable Key - VARIES
Physical Security Issues - Weakness in physical access control - Master Key Identification - VARIES
Physical Security Issues - Weakness in physical access control - Commonly Keyed System - P2
Insecure OS/Firmware - Weakness in Firmware Updates - Firmware cannot be updated - VARIES
Insecure OS/Firmware - Weakness in Firmware Updates - Firmware does not validate update integrity- P3
Insecure OS/Firmware - Weakness in Firmware Updates - Firmware is not encrypted- P5
Insecure OS/Firmware - Kiosk Escape or Breakout - VARIES
Insecure OS/Firmware - Poorly Configured Disk Encryption - VARIES
Insecure OS/Firmware - Shared Credentials on Storage - P3
Insecure OS/Firmware - Over-Permissioned Credentials on Storage - P2
Insecure OS/Firmware - Local Administrator on default environment - P2
Insecure OS/Firmware - Poorly Configured Operating System Security - VARIES
Insecure OS/Firmware - Recovery of Disk Contains Sensitive Material - VARIES
Insecure OS/Firmware - Failure to Remove Sensitive Artifacts from Disk - VARIES
Insecure OS/Firmware - Data not encrypted at rest - Sensitive - VARIES
Insecure OS/Firmware - Data not encrypted at rest - Non sensitive - P5