A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to men…
A local attacker who can execute privileged CSR operations (or can induce firmware to do so) performs carefully crafted reads/writes to menvcfg (e.g., csrrs in M-mode). On affected XiangShan versions (commit aecf601e803bfd2371667a3fb60bfcd83c333027, 2024-11-19), these menvcfg accesses can unexpectedly set WPRI (reserved) bits in the status view (xstatus) to 1. RISC-V defines WPRI fields as "writes preserve values, reads ignore values," i.e., they must not be modified by software manipulating other fields, and menvcfg itself contains multiple WPRI fields.
The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.
https://cwe.mitre.org/data/definitions/1244.html →Open in CWE collection →An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.
https://capec.mitre.org/data/definitions/114.html →Open in CAPEC collection →