{
"type": "bundle",
"id": "bundle--01e0d666-fb45-4ebe-b206-e4c3af653811",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.048996Z",
"modified": "2025-04-21T14:20:07.048996Z",
"name": "The MITRE Corporation",
"identity_class": "organization",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--3b108539-3924-4f24-94bd-aec5f03d3551",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.070599Z",
"modified": "2025-04-21T14:20:07.070599Z",
"name": "Power Consumption Analysis Side Channel",
"description": "Devices will oftentimes consume variable amounts of power depending on the operations the device is performing. Power consumption analysis involves the reading and analyzing of power usage of a device.\n\nIf a device is vulnerable to a power consumption analysis attack, it may be possible to extract or deduce information about the operating state of the device. This can include extracting secrets/keys, discovering operations conducted on sections of memory, and device control flow. A threat actor can therefore physically monitor the power consumption of a device during an execution of a cryptographic operation to create a trace of its power usage over time. By leveraging the understanding of the operations of common cryptographic properties, the power usage traces can be used to infer various information, such as the cryptographic keys.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1300: Improper Protection of Physical Side Channels (Base)](https://cwe.mitre.org/data/definitions/1300.html) \n \"The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.\"\n\n- [CWE-1255: Comparison Logic is Vulnerable to Power Side-Channel Attacks (Variant)](https://cwe.mitre.org/data/definitions/1255.html) \n \"A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Differential power analysis (DPA) and correlation power analysis (CPA) on Arduino Uno](https://www.tandfonline.com/doi/full/10.1080/23742917.2016.1231523) \n Researchers \"demonstrate that both DPA and CPA techniques are viable in deducing the full 16-byte key of AES-128 by monitoring the power consumption of an Arduino Uno which implements the AddRoundKey and SubBytes steps in round 1 of AES.\"",
"x_mitre_emb3d_threat_id": "TID-101",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--dd1c369e-1979-479e-9006-be3e0b1a2557",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.07089Z",
"modified": "2025-04-21T14:20:07.07089Z",
"name": "Electromagnetic Analysis Side Channel",
"description": "Devices will oftentimes emit different electromagnetic signals during different operations. Electromagnetic analysis involves the collection and analysis of these signals.\n\nIf devices are vulnerable to electromagnetic analysis attacks, it may be possible for attackers with physical device presence to extract secrets, such as encryption keys, by analyzing the electromagnetic radiation that is emitted by the device. By analyzing these frequencies and comparing them against one another, it may be possible to derive information about device data or operations.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1300: Improper Protection of Physical Side Channels (Base)](https://cwe.mitre.org/data/definitions/1300.html) \n \"The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Differential Electromagnetic Analysis (DEMA) on FPGA](https://eprint.iacr.org/2004/145.pdf) \n Researchers demonstrated \"that DEMA can be performed against hardware implementation of AES using an FPGA.\"",
"x_mitre_emb3d_threat_id": "TID-102",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--66d49313-3f95-416c-a171-438ec0479c89",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.071149Z",
"modified": "2025-04-21T14:20:07.071149Z",
"name": "Microarchitectural Side Channels",
"description": "Operating system memory safety models rely on processor hardware to enforce separation between different virtual memory spaces. Failures of processor architectures to properly deliver these security guarantees can lead to sensitive information being disclosed across the boundaries between different kernel and process memory spaces. The performance optimization features in modern processors have been shown to be a source of such data leakage vulnerabilities.\n\nData leakage through timing-based side channels introduced by the behavior of processor features such as memory caches have long been known to be effective against cryptographic implementations. The Spectre and Meltdown vulnerabilities announced in 2018 brought attention to weaknesses in certain microarchitectural performance features that could be manipulated in conjunction with memory cache timing techniques to leak data across OS virtual memory bounds. Spectre / Meltdown, and subsequent research work, demonstrated that speculative execution features (e.g., branch prediction, speculative memory loads/stores, out-of-order execution, etc.) could lead to memory locations being read into the CPU\u2019s cache in violation of virtual memory permissions. Malicious code could then utilize a subsequent cache timing side channel attack to extract the data stored in those memory locations.\n\nSince the initial Spectre and Meltdown disclosure, researchers have explored timing-based side channels resulting from other CPU performance and power saving features, such as the Hertzbleed work that targets dynamic frequency scaling.\n\nConsideration: This class of attack requires a threat actor to have the ability to execute arbitrary code on the target device to both create the conditions for the data leakage and subsequently extract data. However, it has been shown that access to even scripting and sandboxed environments (e.g., a Javascript engine) can be sufficient.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2017-5754 (Meltdown)](https://www.cve.org/CVERecord?id=CVE-2017-5754) \n \"Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.\"\n\n- [CVE-2017-5753 (Spectre](https://www.cve.org/CVERecord?id=CVE-2017-5753)) \n \"Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.\"\n\n- [CVE-2018-3640](https://www.cve.org/CVERecord?id=CVE-2018-3640) (Spectre variant 3a) \n \u201cSystems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a.\u201d\n\n- [CVE-2018-3639](https://www.cve.org/CVERecord?id=CVE-2018-3639) (Spectre variant 4) \n \u201cSystems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.\u201d\n\n- [CVE-2018-3693](https://www.cve.org/CVERecord?id=CVE-2018-3693) \n \u201cSystems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.\u201d\n\n- [CVE-2018-3615](https://www.cve.org/CVERecord?id=CVE-2018-3615) (Spectre variant 5) \n \u201cSystems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.\u201d\n\n- [CVE-2022-23823](https://www.cve.org/CVERecord?id=CVE-2022-23823), [CVE-2022-24436](https://www.cve.org/CVERecord?id=CVE-2022-24436), [CVE-2022-35888](https://www.cve.org/CVERecord?id=CVE-2022-35888) (Hertzbleed) \n \u201cA potential vulnerability in some AMD processors using frequency scaling may allow an authenticated attacker to execute a timing attack to potentially enable information disclosure.\u201d \n \u201cObservable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.\u201d \n \u201cAmpere Altra and Ampere Altra Max devices through 2022-07-15 allow attacks via Hertzbleed, which is a power side-channel attack that extracts secret information from the CPU by correlating the power consumption with data being processed on the system.\u201d",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1037: Processor Optimization Removal or Modification of Security-critical Code](https://cwe.mitre.org/data/definitions/1037.html) \n \u201cThe developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.\u201d\n\n- [CWE-1264: Hardware Logic with Insecure De-Synchronization between Control and Data Channels](https://cwe.mitre.org/data/definitions/1264.html) \n \u201cThe hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.\u201d",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [Spectre](https://spectreattack.com/spectre.pdf) and [Meltdown](https://meltdownattack.com/meltdown.pdf) Cache Timing \n Cache Timing was used to create micro-architecture side-channels in devices to read whether data was in the cache or not for the Spectre/Meltdown based-attacks. Through this side-channel data leak, it would be possible to dump entire sections of program memory in the case of Spectre/Meltdown, and kernel memory in the case of Meltdown. [Both Spectre and, to a lesser extent, Meltdown have been observed in the wild](https://www.techtarget.com/searchsecurity/news/252434342/Meltdown-and-Spectre-malware-discovered-in-the-wild) by antivirus vendors.\n\n### Proof of Concept\n\n- [Hertzbleed](https://www.hertzbleed.com/) \n Researchers showed that dynamic frequency scaling features found in many modern processors can be susceptible to input-dependent differences in execution time",
"x_mitre_emb3d_threat_id": "TID-103",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--183bbc5d-1096-4f2c-a3b8-7675b0e46704",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.071407Z",
"modified": "2025-04-21T14:20:07.071407Z",
"name": "Hardware Fault Injection \u2013 Control Flow Modification",
"description": "A threat actor with physical access to a device may be able to manipulate the processor's intended code execution by subjecting it to hardware faults or \"glitching\". Hardware faults can be induced by various methods, including voltage fault injection (power glitching), electromagnetic pulses (EM glitching), and optical fault injection. Glitching can be used to bypass various security protections on a device, such as skipping a firmware integrity check during a secure boot process or protections against firmware or data read-out from the device. This threat requires physical access to the device to perform the glitching, and also typically requires substantial iterative testing to identify the precise nature, magnitude, and timing of signals that need to be injected to cause the glitch condition.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1247: Improper Protection Against Voltage and Clock Glitches (Base)](https://cwe.mitre.org/data/definitions/1247.html) \n \"The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.\"\n\n- [CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI) (Base)](https://cwe.mitre.org/data/definitions/1319.html) \n \"The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [Glitching the Switch](https://media.ccc.de/v/c4.openchaos.2018.06.glitching-the-switch) \n In pursuit of extracting the 1st stage boot ROM code from the Nvidia Tegra X1 SoC, the researchers implemented a power glitching attack against the processor to prevent the bootloader from enabling the SoC's readout protection for that code segment. The glitch interrupts the boot ROM code from writing to a security configuration register, leaving the processor in a state that allows exporting the code responsible for the establishing the processor's root of trust for secure boot. Analysis of the bootloader code yielded an exploitable buffer overflow in a USB protocol implementation (see TID-327) used to inject code that bypasses secure boot and allows executing unauthorized firmware. The presence of this flaw in the unmodifiable initial boot ROM prevents patching this vulnerability in already deployed devices (see TID-220).\n\n### Proof of Concept\n\n- [Electromagnetic Fault Injection: Towards a Fault Model on a 32-bit Microcontroller](https://ieeexplore.ieee.org/abstract/document/6623558) \n \"These experiments confirm the fact that an attacker could change an instruction into another one and change the value of a piece of data loaded from the Flash memory. But they also provide a more accurate fault model, in which some instructions or registers seem to be more vulnerable than others\"\n\n- [Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M](https://www.usenix.org/system/files/usenixsecurity23-sass.pdf) \n \"In this paper, we present \u03bc-Glitch, the first Voltage Fault Injection (VFI) platform which is capable of injecting multiple, coordinated voltage faults into a target device, requiring only a single trigger signal...We evaluate and showcase the effectiveness and practicality of our attack platform on four real-world chips, featuring TrustZone-M\"",
"x_mitre_emb3d_threat_id": "TID-105",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--74aea73e-457e-454c-ace6-a6cbe3f4d6e7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.071646Z",
"modified": "2025-04-21T14:20:07.071646Z",
"name": "Data Bus Interception",
"description": "A threat actor could intercept data across a data bus used to connect a process to either volatile memory or non-volatile storage (e.g. ROM, NVRAM, disk). Depending on the scope of the interception, it may be possible to read and/or perform an adversary-in-the-middle (AITM) attack to write information going over the bus, especially if it lacks adequate encryption and authentication. For example, if a device has discrete RAM external from the processor, it may be possible to tap the address and data lines to observe and capture memory contents as they are loaded and stored for processing. Similar attacks can also be performed in software. Captured data may leak sensitive information (e.g., keys, cleartext firmware code) that can aid in reverse engineering or executing other stages of an attack. Interception and modification may enable an adversary to alter a device's behavior, achieve persistence, evade detection, or other objectives.\n\nNOTE: This is different from TID-114 in that this threat refers to data moving between the processor and storage devices, whereas TID-114 refers to the data moving between the main board or processing chip to a peripheral device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-311: Missing Encryption of Sensitive Data (Class)](https://cwe.mitre.org/data/definitions/311.html) \n \"The product does not encrypt sensitive or critical information before storage or transmission.\"\n\n- [CWE-319: Cleartext Transmission of Sensitive Information (Base)](https://cwe.mitre.org/data/definitions/319.html) \n \"The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [An Off-Chip Attack on Hardware Enclaves via the Memory Bus](https://www.usenix.org/system/files/sec20summer_lee-dayeol_prepub.pdf) \n \"This paper shows how an attacker can break the confidentiality of a hardware enclave with MEMBUSTER, an off-chip attack based on snooping the memory bus. An attacker with physical access can observe an unencrypted address bus and extract fine-grained memory access patterns of the victim\"",
"x_mitre_emb3d_threat_id": "TID-106",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--780462ac-898a-4479-819a-9fba9dde8393",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.07188Z",
"modified": "2025-04-21T14:20:07.07188Z",
"name": "Unauthorized Direct Memory Access (DMA)",
"description": "If separate discrete chips/peripherals that have access to the same physical memory, a threat actor with access to one peripheral could perform a Direct Memory Access (DMA) attack to maliciously read/write memory from a connected chip or peripheral. This threat is especially relevant if there is insufficient hardware or software restrictions on what memory can be accessed/manipulated. A DMA attack can be used to extract cryptographic keys or other sensitive data, and also to manipulate the operation of the chip.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges (Base)](https://cwe.mitre.org/data/definitions/1260.html) \n \"The product allows address regions to overlap, which can result in the bypassing of intended memory protection.\"\n\n- [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html) \n \"The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.\"\n\n- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) \n \"The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [High-Speed DMA Attacks Bypass Built-in Hardware Protections on Enterprise Devices](https://eclypsium.com/blog/direct-memory-access-attacks-a-walk-down-memory-lane/) \n \"Eclypsium\u2019s latest research shows that enterprise laptops, servers, and cloud environments continue to be vulnerable to powerful Direct Memory Access (DMA) attacks, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security.\"\n\n- [Exploiting an I/OMMU vulnerability](https://ieeexplore.ieee.org/document/5665798) \n In the 2010 5th International Conference on Malicious and Unwanted Software, researchers demonstrated how vulnerabilities on Intel's VT-d could be exploited via a DMA attack.\n\n- [Thunderspy](https://www.securityweek.com/thunderspy-more-thunderbolt-flaws-expose-millions-computers-attacks/) \n \"The attack involved opening the device\u2019s back cover, connecting a hacking device called a Bus Pirate to the SPI flash interface associated with the Thunderbolt controller firmware, connecting the Bus Pirate to the attacker\u2019s laptop, copying the Thunderbolt firmware using a tool called Flashrom, modifying the Thunderbolt firmware to disable all Thunderbolt security, and writing it back to the targeted device. The attacker then connects a Thunderbolt-based direct memory access (DMA) attack device running PCILeech to the targeted PC, and uses it to load a kernel module that allows them to bypass the Windows login screen.\"",
"x_mitre_emb3d_threat_id": "TID-107",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--79090b18-13bd-4900-bcad-a3ca29c6f4f6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.072106Z",
"modified": "2025-04-21T14:20:07.072106Z",
"name": "ROM/NVRAM Data Extraction or Modification",
"description": "Contents of non-volatile memory chips or non-fixed storage (e.g., SD cards, Compact Flash, hard disks, USB sticks) can be directly read out for examination or modification by a chip reader. In some cases this may be possible without removing the chip from the circuit board, but most often this will involve physically desoldering the chip and non-destructively removing it from the device. By reading information from ROM or NVRAM, a threat actor would be able to extract any secrets stored on it.\n\nIf the extracted storage contents contain unencrypted firmware (even partial), this can ease reverse engineering by an adversary to identify other potential vulnerabilities or security-relevant data (e.g., passwords, cryptographic keys).\n\nThreat actors may also be able to load malicious changes to the ROM/NVRAM, potentially giving them increased and unauthorized access to the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-311: Missing Encryption of Sensitive Data](https://cwe.mitre.org/data/definitions/311.html) \n \"The product does not encrypt sensitive or critical information before storage or transmission.\"\n\n- [CWE-312: Cleartext Storage of Sensitive Information](https://cwe.mitre.org/data/definitions/312.html) \n \"The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.\"\n\n- [CWE-1282: Assumed-Immutable Data is Stored in Writable Memory](https://cwe.mitre.org/data/definitions/1282.html) \n \"Immutable data, such as a first-stage bootloader, device identifiers, and \"write-once\" configuration settings are stored in writable memory that can be re-programmed or updated in the field.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Uprooting Trust: Learnings from an Unpatchable Hardware Root-of-Trust Vulnerability in Siemens S7-1500 PLCs](https://ieeexplore.ieee.org/document/10133438) \n \"This Siemens S7-1500 uses two non-volatile NAND flash memories as primary storage for the main SoC. We identified these two non-volatile NAND flash memory chips as W29N01HV (1G-bit) NAND Flash memory \\[35\\]. We desoldered the two NAND chips from the device\u2019s PCB and used the Xgecu Minipro TL866II \\[36\\] NAND programmer to extract the content of them.\"",
"x_mitre_emb3d_threat_id": "TID-108",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--26ed7806-6ca2-4983-8ae3-0586fbfb6c62",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.072338Z",
"modified": "2025-04-21T14:20:07.072338Z",
"name": "RAM Chip Contents Readout",
"description": "If a threat actor can physically access a RAM chip, they may be able to readout the contents of the chip. Multiple techniques can be used to extract the contents of RAM, including both runtime and physical access, such as the threat actor can use a Cold-boot attack to physically cool the RAM to minimize the decay of the electrical charge and then physically copy the contents of that RAM.\n\nThrough these methods, critical data, including firmware or secrets (such as passwords and cryptographic keys), may therefore be vulnerable to extraction. Extraction of this information could then lead to reverse engineering to identify vulnerabilities, abusing secrets to gain unauthorized access, or subverting at-rest encryption schemes.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-311: Missing Encryption of Sensitive Data](https://cwe.mitre.org/data/definitions/311.html) \n \"The product does not encrypt sensitive or critical information before storage or transmission.\"\n\n- [CWE-1384: Improper Handling of Physical or Environmental Conditions](https://cwe.mitre.org/data/definitions/1384.html) \n \"Hardware products are typically only guaranteed to behave correctly within certain physical limits or environmental conditions. Such products cannot necessarily control the physical or external conditions to which they are subjected. However, the inability to handle such conditions can undermine a product's security. For example, an unexpected physical or environmental condition may cause the flipping of a bit that is used for an authentication decision. This unexpected condition could occur naturally or be induced artificially by an adversary.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Cold Boot Attacks](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp&arnumber6657268) \n \"We provide an independent study based on 12 computer systems with different hardware configurations that verifies the empirical practicability of cold boot attacks against DDR1 and DDR2\"\n\n- [Cryo-Mechanical RAM Content Extraction Against Modern Embedded Systems](https://wootconference.org/papers/woot23-paper3.pdf)",
"x_mitre_emb3d_threat_id": "TID-109",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--0816e8cd-840c-41d3-8b0b-fe20b2e68db1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.072592Z",
"modified": "2025-04-21T14:20:07.072592Z",
"name": "Hardware Fault Injection \u2013 Data Manipulation",
"description": "Certain software-executed attacks can introduce a fault to the physical hardware of the device, leading to greater access or exploit opportunities. Typically, these kinds of attacks involve performing a software action that would necessitate a predictable and controllable reaction in hardware. If this hardware action contains properties that allow for some kind of fault to occur, then the threat actor can inject the fault through software and try to leverage it into an exploit.\n\nFor example, the Rowhammer exploit demonstrates how repeated dynamic random access memory (DRAM) accesses can lead to a privilege escalation exploit. This exploit is possible through the combination of DRAM cells being placed very close together and attackers repeatedly accessing the same physical cells on the DRAM from software. This repeated access causes a leakage of electric charge within the memory, leading to a manipulation of the charge of nearby memory locations. This induced charge manipulation results in a manipulation of the contents of memory itself. By manipulating the contents of memory, the threat actor may be able to escalate privileges on a device or otherwise bypass security controls.\n\nAnother example of this is the Plundervolt exploit. In this attack, researchers demonstrated that users could use software to control the supply voltage of a secure enclave during computation, up to the point of introducing a fault in the processor itself. They were able to leverage this fault into a set of exploits where they could corrupt cryptographic signatures through voltage variability, extract cryptographic keys using differential fault analysis, or introduce memory safety vulnerabilities in otherwise bug-free code.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2021-42144](https://www.cve.org/CVERecord?id=CVE-2021-42114) \n \u201cModern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks.\u201d",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1256: Improper Restriction of Software Interfaces to Hardware Interfaces](https://cwe.mitre.org/data/definitions/1256.html) \n \"The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [RowHammer](https://ieeexplore.ieee.org/document/6853210) \n In 2014 and thereafter, researchers demonstrated the ability to corrupt data in nearby DDR3 and [DDR4](https://arstechnica.com/gadgets/2021/11/ddr4-memory-is-even-more-susceptible-to-rowhammer-attacks-than-anyone-thought/) DRAM rows by repeatedly accessing data from the same row. It is possible to turn this phenomenon into [exploits](https://arxiv.org/pdf/1904.09724.pdf) through various means.\n\n- [Plundervolt](https://plundervolt.com/doc/plundervolt.pdf) \n In 2020, researchers demonstrated the ability to introduce and exploit faults in Intel\u2019s SGX secure enclave through voltage manipulation. By carefully introducing these faults and measuring the output, researchers showed that they could corrupt integrity checks using cryptographic signatures, extract cryptographic encryption keys through differential fault analysis, and introduce exploitable memory safety issues in bug-free code. The exploit requires a high degree of software access to perform; however, it does not require any physical access to the machine.\n\n- [CLKSCREW](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-tang.pdf) \n In 2017, researchers demonstrated that it was possible to manipulate the voltage and frequency of processor cores using native tools, such as Dynamic Voltage and Frequency Scaling management interfaces, to introduce hardware faults. They then could leverage these faults corrupt bits that would allow them to exploit the machine. For example, the researchers demonstrated that by flipping bits at the right time they could corrupt some data during the decryption of a signature so that malicious code would pass a future signed hash check.",
"x_mitre_emb3d_threat_id": "TID-110",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--a544b3fd-4edc-4fee-809f-2660d7628cdd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.072824Z",
"modified": "2025-04-21T14:20:07.072824Z",
"name": "Untrusted External Storage",
"description": "An untrusted storage peripheral (e.g., USB) could be connected to the device. If malicious code is executed from the untrusted storage, or transferred to the device, it could provide a way for a threat actor to get unauthorized code to execute on the device. Further, any files transferred from the untrusted storage could potentially be used to modify critical device configurations or settings files.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface (Base)](https://cwe.mitre.org/data/definitions/1299.html) \n \"The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [BadUSB](https://www.wired.com/2014/07/usb-security/) \n \"The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user\u2019s internet traffic. ...Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device\u2019s memory would appear to the average user to be deleted.\"",
"x_mitre_emb3d_threat_id": "TID-111",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--3a61ad59-4b69-4d43-b73d-582af56b5d76",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.073086Z",
"modified": "2025-04-21T14:20:07.073086Z",
"name": "Unverified Peripheral Firmware Loaded",
"description": "A threat actor could manipulate the firmware associated with a device\u2019s peripheral or other subcomponent. The threat actor may be able to manipulate actions on the device by sending it commands that were not the original intention of the user or by manipulating a bitstream before it is loaded. There are multiple possible cases where this could occur, including:\n\n- Case 1: Peripheral firmware is stored in a dedicated ROM/NVRAM chip. An adversary with physical access to the device might alter the contents of the peripheral firmware storage to alter peripheral behavior.\n\n- Case 2: Peripheral firmware stored as a file in the parent processor's context. An adversary able to execute code in the parent processor context could replace or alter the firmware image before it is loaded into the peripheral during bootup or other initialization process.\n\n- Case 3: The parent processor's context has privileged access to peripherals and malicious code running there could alter peripheral firmware dynamically (e.g., through shared memory).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface (Base)](https://cwe.mitre.org/data/definitions/1299.html) \n \"The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.\"\n\n- [CWE-1316: Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges (Base)](https://cwe.mitre.org/data/definitions/1316.html) \n \"The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [EQUATION GROUP: QUESTIONS AND ANSWERS](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf) \n \"Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group\u2019s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware... The plugin supports two main functions: reprogramming the HDD firmware with a custom payload from the EQUATION group, and providing an API into a set of hidden sectors (or data storage) of the hard drive.\u201d\n\n### Proof of Concept\n\n- [PERILOUS PERIPHERALS: THE HIDDEN DANGERS INSIDE WINDOWS & LINUX COMPUTERS](https://eclypsium.com/research/perilous-peripherals-the-hidden-dangers-inside-windows-linux-computers/) \n \"In new research, Eclypsium found unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers. We then demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers.\"",
"x_mitre_emb3d_threat_id": "TID-113",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--e23294f5-0a97-4a7d-aab9-f448f713867a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.073352Z",
"modified": "2025-04-21T14:20:07.073352Z",
"name": "Peripheral Data Bus Interception",
"description": "Messages and data passing between discrete sub-components and peripherals may be intercepted and/or modified from through the peripheral bus (e.g., SPI, I2C, ISA, PCI, USB). Captured data may leak sensitive information (e.g., keys, cleartext firmware code) that can aid in reverse engineering and extracting data needed for other stages of an attack. Additionally, threat actors may be able to alter sensitive information in transit to cause malicious effects through data manipulation or interaction in transit over the bus.\n\nNOTE: This is different from TID-106 in that this threat refers to the data moving between the main board or processing chip to a peripheral device, whereas TID-106 refers to data moving between the processor and storage devices.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-311: Missing Encryption of Sensitive Data](https://cwe.mitre.org/data/definitions/311.html) \n \"The product does not encrypt sensitive or critical information before storage or transmission.\"\n\n- [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html) \n \"The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Toward a hardware man-in-the-middle attack on PCIe bus](https://www.sciencedirect.com/science/article/pii/S0141933120303653) \n \"In this paper, we present a new attack vector on PCIe based on a hardware Man-in-the-Middle. This system allows real-time data analysis, data-replay, and a copy technique inspired by the shadow-copy principle. Through this one, it is possible to locate, duplicate, and replay sensitive data.\"\n\n- [Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features](https://redballoonsecurity.com/siemens-discovery/) \n \"An attacker with physical access to the device can either attach to the I2C communication bus or extract the physical ATECC chip from the PLC\u2019s PCB to falsely authenticate and use it as an oracle to generate firmware decryption material. \"",
"x_mitre_emb3d_threat_id": "TID-114",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9b8652e5-3547-43ee-bb74-ca998b2d747c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.073605Z",
"modified": "2025-04-21T14:20:07.073605Z",
"name": "Firmware/Data Extraction via Hardware Interface",
"description": "Unprotected programming or debugging interfaces may be used to extract device firmware, exposing it to reverse engineering that may reveal proprietary information, other exploitable vulnerabilities, or security-sensitive data stored in the firmware (such as keys and passwords). Examples include the Joint Test Action Group (JTAG) interface.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface](https://cwe.mitre.org/data/definitions/1299.html) \n \"The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.\"\n\n- [CWE-1191: On-Chip Debug and Test Interface With Improper Access Control](https://cwe.mitre.org/data/definitions/1191.html) \n \"The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Extracting firmware from devices using JTAG](https://sergioprado.blog/2020-02-20-extracting-firmware-from-devices-using-jtag/) \n Researcher Sergio Prado demonstrates in this article how to use the JTAG interface to extract firmware from a device.",
"x_mitre_emb3d_threat_id": "TID-115",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--b8e18644-b25e-4294-ae02-44bf44cfeaab",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.073872Z",
"modified": "2025-04-21T14:20:07.073872Z",
"name": "Latent Privileged Access Port",
"description": "If a device has a latent user access port, it may be possible for attackers to leverage physical access to obtain privileges that were not accounted for when considering software or remote access controls.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2022-29402](https://www.cve.org/CVERecord?id=CVE-2022-29402) \n \"TP-Link TL-WR840N EU v6.20 was discovered to contain insecure protections for its UART console. This vulnerability allows attackers to connect to the UART port via a serial connection and execute commands as the root user without authentication.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface](https://cwe.mitre.org/data/definitions/1299.html) \n \"The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.\"\n\n- [CWE-1191: On-Chip Debug and Test Interface With Improper Access Control](https://cwe.mitre.org/data/definitions/1191.html) \n \"The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [How to Hack Hardware using UART - Black Hills](https://www.blackhillsinfosec.com/how-to-hack-hardware-using-uart/) \n Researchers from Black Hills demonstrate how to gain root access to a device through shell access granted and transmitted over UART.\n\n- [IoT Devices - The Not-So-Hidden Risk of UART Interface](https://blog.securityinnovation.com/iot_uart) \n Satish S demonstrates how to gain root access to a device over a UART interface.",
"x_mitre_emb3d_threat_id": "TID-116",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--a350ee85-3253-41d4-82aa-f014100805ec",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.07413Z",
"modified": "2025-04-21T14:20:07.07413Z",
"name": "Weak Peripheral Port Electrical Damage Protection",
"description": "If a threat actor has physical access to a device, they may be able to cause physical damage to the circuit board of a device, in some cases even destroying the device. A malicious actor may short circuit or introduce out-of-spec voltages and currents to pins on external connectors. This can lead to effects as mild as interrupting device functionality, by causing crashes or reboots, or as significant as corrupting data, corrupting firmware, or permanent hardware damage. Depending on how robust the hardware design is, physical damage may be limited to a single affected peripheral port or as extensive as destroying the entire device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1384: Improper Handling of Physical or Environmental Conditions](https://cwe.mitre.org/data/definitions/1384.html) \n \"The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [USBKILL](https://usbkill.com/) \n \"The USBKill is a device that stress tests hardware. When plugged in power is taken from a USB-Port, multiplied, and discharged into the data-lines, typically disabling an unprotected device.\"",
"x_mitre_emb3d_threat_id": "TID-118",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--45d8f340-f19f-4af0-852c-a0eec57f82f5",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.074352Z",
"modified": "2025-04-21T14:20:07.074352Z",
"name": "Latent Hardware Debug Port Allows Memory/Code Manipulation",
"description": "Hardware debugging ports (e.g., JTAG, SWD, etc.) oftentimes have high privileges or direct access to the running device's memory and integrated hardware. By leveraging one of these hardware debugging ports, an adversary may be able to read memory values from the device, change the value of a section of memory during runtime, or control the execution of code on the processor. This can give threat actors increased privileges on the device or bypass other security protections.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1191: On-Chip Debug and Test Interface With Improper Access Control](https://cwe.mitre.org/data/definitions/1191.html) \n \"The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.\"",
"x_mitre_emb3d_threat_category": "hardware",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- hw-101-jtag (Parts \\[[1](https://riverloopsecurity.com/blog/2021/05/hw-101-jtag/)\\], \\[[2](https://riverloopsecurity.com/blog/2021/05/hw-101-jtag-part2/)\\] and \\[[3](https://riverloopsecurity.com/blog/2021/07/hw-101-jtag-part3/)\\]) \n Researchers at River Loop Security demonstrate here how to manipulate and read memory from a JTAG port.",
"x_mitre_emb3d_threat_id": "TID-119",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--03c1db93-d257-45c7-a37d-1342f1247fc3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.074583Z",
"modified": "2025-04-21T14:20:07.074583Z",
"name": "Inadequate Bootloader Protection and Verification",
"description": "Some devices utilize bootloaders that are either stored in writable memory or memory that can be made writable. It may then be possible for a threat actor to alter the contents of the device's designated boot code storage locations to inject malicious code or modify the bootloader's operation. This could allow the installation of a \"bootkit\", which is loaded before the operating system and can undermine any security protections within the bootloader or operating system. Typically, this is done through a vulnerability or lack of write protections in the bootloader loader/runtime environment.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-693: Protection Mechanisms Failure (Pillar)](http://cwe.mitre.org/data/definitions/693.html) \n \"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\"\n\n- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) \n \"The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Pre-OS Boot: Bootkit (T1542.003)](https://attack.mitre.org/techniques/T1542/003/) \n \"Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\"\n\n- [Detecting UEFI Bootkits in the Wild (Part 1)](https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html) \n \"As UEFI boot systems are going mainstream, the bootkits are also shifting to an implementation of infecting firmware in a flash chip on the motherboard instead of the MBR/VBR on the hard drive. The first PoC of UEFI bootkits was presented in 2013 and the threats have been observed in the wild since 2018.\"\n\n- [LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group](https://www.eset.com/fileadmin/ESET/US/resources/datasheets/ESETus-datasheet-lojax.pdf) \n \"Sednit also known as APT28, Sofacy, Strontium and Fancy Bear \u2013 has been operating since at least 2004, and has made headlines frequently in the past years: it is believed to be behind major, high profile attacks. ... this white paper details the first time this group is known to have used a UEFI rootkit.\"\n\n- [MosaicRegressor: Lurking in the Shadows of UEFI](https://securelist.com/mosaicregressor/98849/) \n \"During an investigation, we came across several suspicious UEFI firmware images. A deeper inspection revealed that they contained four components that had an unusual proximity in their assigned GUID values, those were two DXE drivers and two UEFI applications. After further analysis we were able to determine that they were based on the leaked source code of HackingTeam\u2019s VectorEDK bootkit, with minor customizations.\"\n\n- [TRICKBOT NOW OFFERS \u2018TRICKBOOT\u2019: PERSIST, BRICK, PROFIT](https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf) \n \"This new functionality, which we have dubbed \u201cTrickBoot,\u201d makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. \"",
"x_mitre_emb3d_threat_id": "TID-201",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.074816Z",
"modified": "2025-04-21T14:20:07.074816Z",
"name": "Exploitable System Network Stack Component",
"description": "Devices may have vulnerabilities within software used to parse various network protocols. If the device does not properly parse a protocol, a threat actor can send improperly formatted messages to the device, which may result in memory corruptions. Vulnerabilities resulting from protocol manipulation can then be used to perform remote code execution or to perform a denial-of-service attack on the device. There are a number of known complexities with network protocol parsing, including unclear protocol specifications or parsing expectation.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [ICSA-13-291-01B](https://www.cisa.gov/news-events/ics-advisories/icsa-13-291-01b) \n \"An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. The system must be restarted manually to clear the condition.\"\n\n- [CVE-2013-2811](https://www.cve.org/CVERecord?id=CVE-2013-2811): [GE Proficy HMI/SCADA DNP3 Driver Input Validation](https://www.cisa.gov/news-events/ics-advisories/icsa-14-287-01) \n \"The DNP master station server (DNPDrv.exe) that processes incoming messages via Serial, IP, or Modem does not validate all inputs and can be exploited to generate an unhandled exception or denial of service.\"\n\n- [CVE-2019-6529](https://www.cve.org/CVERecord?id=CVE-2019-6529): [Kunbus PR100088 Modbus Gateway](https://www.cisa.gov/news-events/ics-advisories/icsa-19-036-05) \n \"An attacker could specially craft an FTP request that could crash the device.\"\n\n- [CVE-2013-0662](https://www.cve.org/CVERecord?id=CVE-2013-0662): [Schneider Electric Serial Modbus Driver Buffer Overflow](https://www.cisa.gov/news-events/ics-advisories/icsa-14-086-01) \n \"The Modbus Serial Driver creates a listener on Port 27700/TCP. When a connection is made, the Modbus Application Header is first read into a buffer. If a large buffer size is specified in this header, a stack-based buffer overflow results. A second overflow problem can then be exploited by overwriting the return address, allowing the attacker to execute arbitrary code with the permission of the user running the software.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-20: Improper Input Validation (Class)](https://cwe.mitre.org/data/definitions/20.html) \n \"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.\"\n\n- [CWE-121: Stack-based Buffer Overflow (Simple)](https://cwe.mitre.org/data/definitions/121.html) \n \"A stack-based buffer overflow condition is a condition on where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom\u2019s Wi-Fi Chipsets](https://blog.exodusintel.com/2017/07/26/broadpwn/) \n \"Broadpwn is a fully remote attack against Broadcom\u2019s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit.\"\n\n- [Ripple20](https://web.archive.org/web/20250114042309/https:/www.jsof-tech.com/disclosures/ripple20/) \n \"Ripple20 vulnerabilities are unique both in their widespread effect and impact due to supply chain effect and being vulnerabilities allowing attackers to bypass NAT and firewalls and take control of devices undetected, with no user interaction required. This is due to the vulnerabilities being in a low-level TCP/IP stack, and the fact that for many of the vulnerabilities, the packets sent are very similar to valid packets, or, in some cases are completely valid packets. This enables the attack to pass as legitimate traffic.\"\n\n- [Urgent/11](https://www.armis.com/research/urgent-11/) \n \"The Armis research team, Armis Labs, has discovered 11 zero-day vulnerabilities in VxWorks\u00ae, the most widely used operating system you may have never heard about. VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices. Dubbed \u201cURGENT/11,\u201d the vulnerabilities reside in VxWorks\u2019 TCP/IP stack (IPnet), impacting all versions since version 6.5, and are a rare example of vulnerabilities found to affect the operating system over the last 13 years. Armis has worked closely with Wind River\u00ae, the maintainer of VxWorks, and the latest VxWorks 7 released on July 19 contains fixes for all the discovered vulnerabilities.\"\n\n\n\n- [AMNESIA:33](https://www.forescout.com/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/) \n \"In this study, we discuss the results of the security analysis of seven open source TCP/IP stacks and report a bundle of 33 new vulnerabilities found in four of the seven analyzed stacks that are used by major IoT, OT and IT device vendors\"",
"x_mitre_emb3d_threat_id": "TID-202",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.075035Z",
"modified": "2025-04-21T14:20:07.075035Z",
"name": "Malicious OS Kernel Driver/Module Installable",
"description": "Threat actors may be able to install a driver or kernel module with malicious code to load a rootkit and manipulate the OS. Drivers and kernel modules generally operate with a high-level privileges (e.g. Ring 0) and therefore can be used to manipulate the operation of the existing OS. OS kernel modules and drivers can typically be installed by any users with root/administrative permissions, though some OSes require that drivers be digitally signed by a trusted OEM before they can be installed on a device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-306 Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) \n \"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [Syslogk Rootkit](https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/) \n \"The Syslogk rootkit installed itself as a Linux kernel module where it had the ability to hook functions/syscalls, manipulate and create its own syscalls, and launch a payload that contains a backdoor at the request of remote threat actors.\"",
"x_mitre_emb3d_threat_id": "TID-203",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--93670d27-5d0c-41d2-89c2-5c9b1b8dce72",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.07525Z",
"modified": "2025-04-21T14:20:07.07525Z",
"name": "Untrusted Programs Can Access Privileged OS Functions",
"description": "Without a correctly enforced operating system privilege model, a compromised or untrusted application program could access to data, memory, or programs associated with the underlying OS or other applications. This could also be used to further manipulate the underlying OS.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-693: Protection Mechanisms Failure (Pillar)](http://cwe.mitre.org/data/definitions/693.html) \n \"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Security Issues In Compiled PLC Logic (CoDeSys & ProConOs) - Reid Wightman (Dragos) (at S4x23)](https://www.youtube.com/watch?v=3QGVlatumEc) \n Researcher Reid Wightman demonstrated that it is possible to compromise a given feature of a controller, in this example the network protocol handler, and leverage that to overwrite memory in other critical portions of the CoDeSys and ProConOs runtime environments.",
"x_mitre_emb3d_threat_id": "TID-204",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.07548Z",
"modified": "2025-04-21T14:20:07.07548Z",
"name": "Existing OS Tools Maliciously Used for Device Manipulation",
"description": "If a threat actor has access to a valid OS account, they can utilize existing OS tools and system calls to install malicious code or manipulate device operations. If the account and privileges are not sufficiently restricted, the threat actor may be able to add their own tools, modify other application layer programs, or even execute commands with elevated privileges (e.g., setuid/setgid). Further, threat actors can perform a living-off-the-land attack, where they choose to only use pre-installed functionality and install nothing else on the device. These types of attacks can be hard to detect because malicious behavior may be implemented using tools and functions with legitimate purposes.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-693: Protection Mechanisms Failure (Pillar)](http://cwe.mitre.org/data/definitions/693.html) \n \"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Graphical User Interface (T0823)](https://attack.mitre.org/techniques/T0823/), [Procedure Example: 2015 Ukraine Electric Power Attack (C0028)](https://attack.mitre.org/campaigns/C0028/) \n \"During the 2015 Ukraine Electric Power Attack, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.\"\n\n- [Volt Typhoon targets US critical infrastructure with living-off-the-land techniques](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/) \n \"To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. \"",
"x_mitre_emb3d_threat_id": "TID-205",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.0757Z",
"modified": "2025-04-21T14:20:07.0757Z",
"name": "Memory Management Protections Subverted",
"description": "While the use of memory permissions, such as non-executable stack and heap memory, can prevent threat actors from injecting and executing malicious code, it is still possible to leverage a process's existing code to perform a malicious function. For example, Return Oriented Programming (ROP) is a technique used by threat actors where once a process's stack can be overwritten, a series of \"returns\" to portions of code within the process can be leveraged to cause an intended malicious function. This can include \"returns\" to existing libraries (e.g., libc), or other instruction sequences already in memory of that process.\n\nThe exploitation of this threat may be possible through TID-219, and may also be enabled by the exploitation of TID-219.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2024-28115](https://www.cve.org/CVERecord?id=CVE-2024-28115) \n \"FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques should a vulnerability exist that allows code injection and execution. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled (i.e. \\`configENABLE_MPU\\` set to 1). These issues are fixed in version 10.6.2 with a new MPU wrapper.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) \n \u201cThe product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.\u201d",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [ATT&CK Technique: Process Injection: Proc Memory (T1055.09)](https://attack.mitre.org/techniques/T1055/009/) \n \"Proc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/\\[pid\\]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions.\"",
"x_mitre_emb3d_threat_id": "TID-206",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--f3280b96-b050-42e6-adb9-341ea73a2fe6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.075925Z",
"modified": "2025-04-21T14:20:07.075925Z",
"name": "Container Escape",
"description": "Container environments, such as Docker and Kubernetes, share the same underlying kernel as the host operating system. Malicious code that succeeds in executing within a container may attempt to exploit any vulnerabilities present in exposed OS system calls, container management system functions, excessive permissions in shared resources, or other misconfigurations in the environment. One or more of these can be sufficient for a threat actor to escape the container into the underlying host and then begin manipulating the host OS or the applications and data within other containers resident on the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2019-5736](https://www.cve.org/CVERecord?id=CVE-2019-5736) \n \"runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.\"\n\n- [CVE-2022-0185](https://www.cve.org/CVERecord?id=CVE-2022-0185) \n \"A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespace CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-693: Protection Mechanisms Failure (Pillar)](http://cwe.mitre.org/data/definitions/693.html) \n \"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [ATT&CK Technique: Escape to Host (T1611)](https://attack.mitre.org/techniques/T1611/) \n \"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.\"\n\n### Proof of Concept\n\n- [Breaking out of Docker via runC \u2013 Explaining CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/) \n \"A vulnerability in runc allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command... as root within a container in two possible contexts.\"\n\n- [Crowdstrike: CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit](https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/) \n \"On Jan. 18, 2022, researchers found a heap base buffer overflow flaw (CVE-2022-0185) in the Linux kernel (5.1-rc1+) function \u201clegacy_parse_param\u201d of filesystem context functionality, which allows an out-of-bounds write in kernel memory. Using this primitive, an unprivileged attacker can escalate its privilege to root, bypassing any Linux namespace restrictions.\" Threat actors can then leverage this namespace restriction bypass and root level privilege to break out of the Kubernetes container.",
"x_mitre_emb3d_threat_id": "TID-207",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--2f38fbfc-0a74-4657-a28d-b6c24e4dc2ee",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.07615Z",
"modified": "2025-04-21T14:20:07.07615Z",
"name": "Virtual Machine Escape",
"description": "Virtualization mechanisms allow multiple operating sytem instances to share the same underlying hardware. Hypervisor software is responsible for orchestrating and maintaining the separation between virtual machines (VMs) to ensure that failure or compromise within one VM does not affect others. However, vulnerabilities in APIs and services the hypervisor exposes to guest VMs, the implementation of virtualized hardware abstractions, or other hypervisor components could be used by an adversary to escape the virtualized environments. By escaping the environment, a threat actor could manipulate the underlying hypervisor, operating system, or application/data within other environments hosted on that device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Implementing Hypervisor-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities in vSphere](https://kb.vmware.com/s/article/67577) ([CVE-2018-12126](https://www.cve.org/CVERecord?id=CVE-2018-12126), [CVE-2018-12127](https://www.cve.org/CVERecord?id=CVE-2018-12127), [CVE-2018-12130](https://www.cve.org/CVERecord?id=CVE-2018-12130), and [CVE-2019-11091](https://www.cve.org/CVERecord?id=CVE-2019-11091)) \n \"Intel has disclosed details on a new wave of speculative-execution vulnerabilities known collectively as \u201cMicroarchitectural\u202fData Sampling (MDS)\"\u202fthat can occur on Intel microarchitecture prior to 2nd Generation Intel\u00ae Xeon\u00ae Scalable Processors (formerly known as Cascade Lake). These issues may allow a malicious user who can locally execute code on a system to infer the values of data otherwise protected by architectural mechanisms.\"\n\n- [VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities](https://www.vmware.com/security/advisories/VMSA-2024-0006.html)\\] ([CVE-2024-22252](https://www.cve.org/CVERecord?id=CVE-2024-22252), [CVE-2024-22253](https://www.cve.org/CVERecord?id=CVE-2024-22253), [CVE-2024-22254](https://www.cve.org/CVERecord?id=CVE-2024-22254), [CVE-2024-22255](https://www.cve.org/CVERecord?id=CVE-2024-22255)) \n \"VMWare\u2019s decision to offer fixes for end-of-life software is because the vulnerabilities patched in these updates are escape flaws that allow a computer program to breack of the confines of a VM and affect the host operating system. Specifically, an attacker with privileged access, such as root or administrator, on a guest VM can access the hypervisor on the host.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-693: Protection Mechanisms Failure (Pillar)](http://cwe.mitre.org/data/definitions/693.html) \n \"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [VMWare Security Advisory (VMSA-2024-0006.1)](https://www.vmware.com/security/advisories/VMSA-2024-0006.html) \n \"A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.\" \n \"A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox.\"",
"x_mitre_emb3d_threat_id": "TID-208",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--63a42cdd-ab9d-4c2b-b5c0-d7205a94723c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.076378Z",
"modified": "2025-04-21T14:20:07.076378Z",
"name": "Host Can Manipulate Guest Virtual Machines",
"description": "If a threat actor can access a hypervisor's host infrastructure, such as through existing management interfaces, they could use that access to manipulate associated guest/virtualized systems. Since the hypervisor runs underneath the virtual machines, this threat will go undetected by the individual guest environments.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2023-20867](https://www.cve.org/CVERecord?id=CVE-2023-20867) \n \"A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) \n \"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology](https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology) \n \"Sandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data acquisition (SCADA) management instance for the victim\u2019s substation environment ... On October 10, the actor leveraged an optical disc (ISO) image named \u201ca.iso\u201d to execute a native MicroSCADA binary in a likely attempt to execute malicious control commands to switch off substations.\"\n\n- [Bad VIB(E)s Mandiant Discoveries](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence) \n Researchers at Mandiant discovered adversarial usage of malware that runs on VM hosting machines. The malware is able to \"1) maintain persistent administrative access to the hypervisor; 2) send commands to the hypervisor that will be routed to the guest VM for execution; 3) transfer files between the ESXi hypervisor and guest machines running beneath it; 4) tamper with logging services on the hypervisor; 5) execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor\"\n\n- [VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors](https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass) \n \"Exploiting a zero-day vulnerability (CVE-2023-20867) that enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs\"",
"x_mitre_emb3d_threat_id": "TID-209",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--be1dae3a-4d6d-4842-9de6-cf5d217f0370",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.076613Z",
"modified": "2025-04-21T14:20:07.076613Z",
"name": "Device Vulnerabilities Unpatchable",
"description": "Threat actors will frequently target device components, like firmware, that have already known vulnerabilities instead of expending the effort to discover new ones. If a device cannot update its firmware, especially upon the discovery of a vulnerability, threat actors may be able to target these vulnerabilities. This is because a vulnerability that is found once will be exploitable on all devices running that firmware in perpetuity. Threat actors' ability to achieve their goals will depend on the nature of the unpatched vulnerability.\n\nIf identified threats cannot be mitigated due to the inability to disable or update vulnerable components, the device will remain vulnerable. This may also be the result of the device reaching its End-of-Service/Support date, where it is no longer being supported by the vendor.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1277: Firmware Not Updateable](https://cwe.mitre.org/data/definitions/1277.html) \n \"The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.\"\n\n- [CWE-1329: Reliance on Component That is Not Updateable](https://cwe.mitre.org/data/definitions/1329.html) \n \"The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Behavior\n\n- [Regarding Unit 42 New Mirai Variant Targeting Network Security Devices \n ](https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/)Some of the IoT devices targeted by the Mirai botnet could not be patched because the device had reached the vendor stated End of Service/Support date.",
"x_mitre_emb3d_threat_id": "TID-210",
"x_mitre_emb3d_threat_maturity": "observed adversarial behavior"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--2ef9b3dd-19aa-40b0-9c4c-e2a4aef35b85",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.076842Z",
"modified": "2025-04-21T14:20:07.076842Z",
"name": "Device Allows Unauthenticated Firmware Installation",
"description": "If a device does not have a mechanism to authenticate firmware updates, a threat actor may be able to install malicious or corrupt firmware on the device. In such cases, an adversary may craft a customized or maliciously modified firmware update package that, if properly formed, the device will install it without challenge. The unauthorized firmware could then be used to (i) \u201cbrick\u201d the device and prevent it from being reset, (ii) install malicious logic on the device, including to gain persistence, or (iii) enable access to ease reverse engineering the device to identify remotely exploitable vulnerabilities, depending on how the firmware was formed and how the target device responds to it. Devices that perform only error checking of update packages prior to installation (e.g., parity checks, hash checks without a cryptographic signature, etc.) will be susceptible to this threat.\n\nThis threat also includes any firmware authentication mechanisms that are not enforced on the device. If devices don't check firmware integrity/download command authenticity on-device, threat actors may be able to falsely attest that their firmware is secure, thereby bypassing firmware integrity checks. One mechanism through which threat actors could perform this action is by taking advantage of a device's reliance on a separate management device or service to check firmware. Threat actors may be able to spoof the management device firmware check and successfully initiate a malicious firmware download.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Rockwell Automation Micrologix Remote Code Execution](https://icscsi.org/library/Documents/ICS_Vulnerabilities/CyberX%20-%20Rockwell%20Automation%20MicroLogix%20Remote%20Code%20Execution.pdf) - [CVE-2015-6492](https://www.cve.org/CVERecord/SearchResults?query=CVE-2015-6492) \n Researchers at CyberX Threat Intelligence developed custom firmware that allowed them to perform memory dumps. Through these memory dumps, they were able to find memory vulnerabilities that allowed them to develop remote code execution exploits for Rockwell Automatic Micrologix controllers. They were then able to upload malicious firmware to the device.",
"x_mitre_emb3d_threat_CWEs": "- [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) \n \"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [EQUATION GROUP: QUESTIONS AND ANSWERS](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf) \n \"Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group\u2019s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware... The plugin supports two main functions: reprogramming the HDD firmware with a custom payload from the EQUATION group, and providing an API into a set of hidden sectors (or data storage) of the hard drive. This achieves several important things:\n\n - Extreme persistence that survives disk formatting and OS reinstall.\n\n - an invisible, persistent storage hidden inside the hard drive.\"\n\n- [ATT&CK Technique: System Firmware (T0857)](https://attack.mitre.org/techniques/T0857/), [Procedure Example: 2015 Ukraine Electric Power Attack (C0028)](https://attack.mitre.org/campaigns/C0028/) \n \"During the 2015 Ukraine Electric Power Attack, Sandworm Team overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable.\"\n\n### Proof of Concept\n\n- [On the recent vulnerability in Diebold Nixdorf ATMs](https://habr.com/en/companies/pt/articles/589291/) \n Researchers from Positive Technologies were able to demonstrate that it was possible to exploit a vulnerability that allowed them to upload valid firmware without a valid encryption key. From there, attackers or researchers would be able to modify the ATM firmware however they like.",
"x_mitre_emb3d_threat_id": "TID-211",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--435d3f7c-68fe-4c67-b952-61d5713dad36",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.077084Z",
"modified": "2025-04-21T14:20:07.077084Z",
"name": "FW/SW Update Integrity Shared Secrets Extraction",
"description": "Some devices utilize a shared secret authentication scheme to verify firmware updates. This is an improvement over unauthenticated updates (as in TID-211) and can be coupled with or implemented as symmetric key encryption for added confidentiality. This process requires the shared secret to be present on the device for verification (or decryption). Often the same shared secret will be used across many or all examples of that model device, therefore if the secret is compromised on one device it makes all others vulnerable. A threat actor may extract the secret via various means then use it to fabricate a malicious firmware update that is accepted by all devices that use the same integrity mechanism and shared secret.\n\nMalicious firmware or software could then be installed to (i) \u201cbrick\u201d the device and prevent it from being reset, (ii) install malicious logic on the device, including to gain persistence, or (iii) enable access to ease reverse engineering the device to identify remotely exploitable vulnerabilities on the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2022-38773](https://www.cve.org/CVERecord?id=CVE-2022-38773) \n \"Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-12326: Missing Immutable Root of Trust in Hardware](https://cwe.mitre.org/data/definitions/1326.html) \n \u201cA missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.\u201d",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features](https://redballoonsecurity.com/siemens-discovery/) \n \"The Siemens S7-1500 series PLCs implement a boot-time firmware validation scheme using a combination of hardware-enabled firmware decryption and binary integrity validation in the Siemens ADONIS operating system. Multiple architectural vulnerabilities exist which allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data. With physical access to a single device, attackers can exploit the vulnerabilities to generate valid AES keys for most of the S7-1500 series firmwares, including the one modified by attackers. The custom-modified firmware can be authenticated and decrypted by the original boot process. By flashing this malicious firmware on a target device, either physically or by exploiting an existing remote code execution vulnerability, attackers could persistently gain arbitrary code execution and potentially circumvent any official security and firmware updates, without the user\u2019s knowledge.\"",
"x_mitre_emb3d_threat_id": "TID-212",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--99b03309-3996-4e49-9500-1ed7a700d9cd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.077312Z",
"modified": "2025-04-21T14:20:07.077312Z",
"name": "FW/SW Update Integrity Shared Secrets Extraction",
"description": "To avoid the weaknesses of a shared secret verification (see TID-212), devices may utilize a digital signature verification scheme based on asymmetric public key cryptography. However, if the device does not correctly verify a firmware/software signature correctly, a threat actor can bypass the device's authenticity checking mechanisms to upload malicious or corrupt version. The unauthorized firmware could \u201cbrick\u201d the device, preventing it from being reset. This could also be used to install malicious logic on the device.\n\nNOTE: firmware/software signature here refers to processes that use cryptographic keys to verify firmware integrity and origin. These can include keyed hashes and/or asymmetric key signing. This does not include encrypting firmware with no other integrity verification mechanisms in-place.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2021-43394](https://www.cve.org/CVERecord?id=CVE-2021-43393) \n \"STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to abuse signature verification. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API...\"\n\n- [CVE-2023-33768](https://www.cve.org/CVERecord?id=CVE-2023-33768) \n \"Incorrect signature verification of the firmware during the Device Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows attackers to cause a Denial of Service (DoS) via a crafted firmware file.\"\n\n- [Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability](https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-iosxe-digsig-bypass-FYQ3bmVq.html) - [CVE-2020-3209](https://www.cve.org/CVERecord?id=CVE-2020-3209) \n \"A vulnerability in software image verification in Cisco IOS XE Software could allow an unauthenticated, physical attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. \n The vulnerability is due to an improper check on the area of code that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the targeted device.\"\n\n- [CVE-2023-41991](https://www.cve.org/CVERecord?id=CVE-2023-41991) \n \"A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-347: Improper Verification of Cryptographic Signature](https://cwe.mitre.org/data/definitions/347.html) \n \"The product does not verify, or incorrectly verifies, the cryptographic signature for data.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- \\[[KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41991)\\] [CVE-2023-41991](https://www.cve.org/CVERecord?id=CVE-2023-41991) \n \"Apple iOS, iPadOS, macOS, and watchOS contain an improper certificate validation vulnerability that can allow a malicious app to bypass signature validation.\"",
"x_mitre_emb3d_threat_id": "TID-213",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--02b33020-2f00-4eb7-8323-2281d41275fc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.077542Z",
"modified": "2025-04-21T14:20:07.077542Z",
"name": "Secrets Extracted from Device Root of Trust",
"description": "Some device have mutable or immutable secure Roots of Trust (ROTs) that may store keys or secrets. If the device has a ROT mechanism to validate the authenticity of the firmware/software, the ROT can be either a software or hardware mechanisms, such as a Trusted Platform Module (TPM), firmware TPM (fTPM), Secure Element, or similar security module. If a threat actor can access authentication material on the ROT, such as the keys or other secrets, they can potentially use them to sign a malicious version of firmware/software which can then be installed on the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2022-38773](https://www.cve.org/CVERecord?id=CVE-2022-38773) \n \"Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1326: Missing Immutable Root of Trust in Hardware](https://cwe.mitre.org/data/definitions/1326.html) \n \"A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Uprooting Trust: Learnings from an Unpatchable Hardware Root-of-Trust Vulnerability in Siemens S7-1500 PLCs](https://ieeexplore.ieee.org/document/10133438) \n \"Specifically, this assessment is conducted by uncovering novel vulnerabilities related to the discrete RoT implementation on the Siemens S7-1500 series Programmable Logic Controllers (PLCs). Our findings are cautionary evidence of how flawed assumptions related to RoT implementation may allow malicious actors to spoof authentication credentials, re-encrypt firmware, and ultimately gain covert, privileged control over these devices without invasive or destructive practices.\"\n\n- [100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot) \n \"A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality.\"\n\n- [faulTPM: Exposing AMD fTPMs\u2019 Deepest Secrets](https://ieeexplore.ieee.org/document/10190531) \n \"In this paper, we show that AMD\u2019s fTPMs are vulnerable to physical attacks against their execution environment: the AMD-SP. Our attack utilizes the AMD-SP\u2019s vulnerability to voltage fault injection attacks to extract a chip-unique secret from the targeted CPU. This secret is subsequently used to derive the storage and integrity keys protecting the fTPM\u2019s non-volatile (NV) data stored on the Basic Input/Output System (BIOS) flash chip.\"",
"x_mitre_emb3d_threat_id": "TID-214",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--502fd094-4e5d-4cf5-a644-e224bd9f469b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.077757Z",
"modified": "2025-04-21T14:20:07.077757Z",
"name": "Unencrypted SW/FW Updates",
"description": "If the firmware/software update is not encrypted at rest in storage it can be reverse engineered to identify potential vulnerabilities or extract other information needed to protect devices (e.g., passwords, cryptographic keys). Firmware/software updates can often be directly downloaded from the Internet and reverse engineered, however, firmware/software updates that are unencrypted in transit may also be intercepted and analyzed over-the-wire.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-311: Missing Encryption of Sensitive Data](https://cwe.mitre.org/data/definitions/311.html) \n \"The product does not encrypt sensitive or critical information before storage or transmission.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept \n\n- [Reverse Engineering Obfuscated Firmware for Vulnerability Analysis](https://www.nozominetworks.com/blog/reverse-engineering-obfuscated-firmware-for-vulnerability-analysis) \n Nozomi researchers demonstrated how the ability to reverse engineer firmware gives attackers the ability to find novel vulnerabilities, or the presence of older vulnerabilities, on a given device.",
"x_mitre_emb3d_threat_id": "TID-215",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--e62bc4f1-d5c4-4714-b529-e1fc78f2991d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.077981Z",
"modified": "2025-04-21T14:20:07.077981Z",
"name": "Firmware Update Rollbacks Allowed",
"description": "Firmware updates will oftentimes include fixes to security vulnerabilities, meaning that past versions will contain security threats to the devices. If a threat actor can initiate a firmware update on the device, they may be able to \"upgrade\" to a previous firmware version with known vulnerabilities. By completing an \"upgrade\" to a version with vulnerabilities, the threat actor could then potentially exploit that device to gain additional access or privileges.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash](https://www.securityweek.com/diebold-nixdorf-atm-flaws-allowed-attackers-modify-firmware-steal-cash/) \u2013 CVE-2018-9099 \n \"\u2026the researchers figured out the command encryption between the ATM computer and the cash dispenser, bypassed it, replaced the ATM firmware with an outdated one, and exploited the vulnerabilities to tell the system to spew cash.\u201d",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1328: Security Version Number Mutable to Older Versions](https://cwe.mitre.org/data/definitions/1328.html) \n \"Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Behavior\n\n- [China APT Cracks Cisco Firmware in Attacks Against the US and Japan](https://www.darkreading.com/threat-intelligence/china-apt-cracks-cisco-firmware-attacks-against-us-japan) \n Threat group BlackTech (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda) has been performing firmware downgrade attacks. Once the firmware is downgraded, BlackTech can leverage older vulnerabilities to \"hot patch old firmware in memory\" with custom firmware code. They then can achieve persistence and pivot from \"smaller, international subsidiaries to headquarters of affected organizations.\"\n\n### Proof of Concept\n\n- [PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5](https://www.securityweek.com/flaws-atm-dispenser-controllers-allowed-hackers-steal-cash/) \n \u201c\\[The flaws\\] can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities, according to Positive Technologies.\u201d",
"x_mitre_emb3d_threat_id": "TID-216",
"x_mitre_emb3d_threat_maturity": "observed adversarial behavior"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--2f72b508-1ab5-4ae3-a3f2-63ff5e1e4a56",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.078195Z",
"modified": "2025-04-21T14:20:07.078195Z",
"name": "Remotely Initiated Updates Can Cause DoS",
"description": "When firmware/software update process is initiated on a device, it may enter a different operational mode where it stops performing key functions, including networking, data collection, or control functions. Therefore, a threat actor could remotely initiate the firmware/software update to cause a denial of service on the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CRASHOVERRIDE](https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf) - [CVE-2015-5374](https://www.cve.org/CVERecord?id=CVE-2015-5374) \n \"Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.\" \n \"The DoS condition places the victim SIPROTEC device in \u201cfirmware update\u201d mode. The effect triggered is practical and useful in legitimate firmware update instances given the limited resources available to legacy SIPROTEC devices (especially for memory).\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html) \n \"The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Activate Firmware Update Mode (T0800)](https://attack.mitre.org/techniques/T0800/) \u2013 [Procedure Example: Industroyer (S0604)](https://attack.mitre.org/software/S0604/) \n \"The Industroyer SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission.\"",
"x_mitre_emb3d_threat_id": "TID-217",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--ed320462-9747-416e-a3f5-109ebe7ce514",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.078421Z",
"modified": "2025-04-21T14:20:07.078421Z",
"name": "Operating System Susceptible to Rootkit",
"description": "A threat actor may be able to install a rootkit that can manipulate the operating system (OS). Rootkits can evade OS protections by installing themselves at the same privilege-level as the OS. A threat actor can use a rootkit to maintain persistence on the device, evade detection, or execute malicious programs/logic.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-693: Protection Mechanisms Failure (Pillar)](http://cwe.mitre.org/data/definitions/693.html) \n \"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [ATT&CK Technique: Rootkit (T0851)](https://attack.mitre.org/techniques/T0851/), [Procedure Example: Stuxnet (S0603)](https://attack.mitre.org/software/S0603/) \n \"One of Stuxnet's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets \\[sic\\] own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets \\[sic\\] PLC code is not discovered or damaged.\"\n\n### Proof of Concept\n\n- [Ghost in the PLC](https://www.blackhat.com/docs/eu-16/materials/eu-16-Abbasi-Ghost-In-The-PLC-Designing-An-Undetectable-Programmable-Logic-Controller-Rootkit-wp.pdf) \n Researchers Abbasi and Hasemi were able to create the Ghost in the PLC rootkit. This rootkit is able to embed itself in a PLC with detection evasion mechanisms. It is then able to achieve arbitrary read/write in registers with/without root access.\n\n- [Air Force Researchers Plant Rootkit in a PLC](https://www.darkreading.com/attacks-breaches/air-force-researchers-plant-rootkit-in-a-plc) \n \"Researchers with the U.S. Air Force Institute of Technology (AFIT) have created a prototype rootkit that can sit undetected in the firmware of a programmable logic controller (PLC) device and corrupt utility and plant floor operations.\"",
"x_mitre_emb3d_threat_id": "TID-218",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--b45b01bc-d3ea-42c7-b4c7-9e37f87e86b4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.078635Z",
"modified": "2025-04-21T14:20:07.078635Z",
"name": "OS/Kernel Privilege Escalation",
"description": "Operating Systems and Kernels frequently run at the highest levels of permissions. If processes with lower permissions are able to exploit a vulnerability in the OS or Kernel (such as a vulnerability enabled by TID-206), they may be able to raise the privileges of their process. If a threat actor were to exploit this vulnerability, they may be able to raise the permissions of a malicious process, thereby granting themselves greater access to the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html) \n \"The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Exploitation for Privilege Escalation (T0890)](https://attack.mitre.org/techniques/T0890/), [Procedure Example: Triton (S1009)](https://attack.mitre.org/software/S1009/) \n \"Triton leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges.\"",
"x_mitre_emb3d_threat_id": "TID-219",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--fe64d2c0-6201-4ccb-8ddc-35964d9b2200",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.078854Z",
"modified": "2025-04-21T14:20:07.078854Z",
"name": "Unpatchable Hardware Root of Trust",
"description": "Hardware roots of trust can be used to support many desirable device security functions, such as secure key and secret storage, secure boot, and firmware integrity measurement. These functions often rely on the root of trust being immutable, preventing a threat actor from making changes to code or data in the root of trust that would undermine the security functions built atop them. However, if the root of trust implementation is flawed, immutability prevents the revocation and replacement of compromised keys, and prevents patching vulnerable code. Therefore, if threat actors have access to a mechanism to obtain the secret data or code, and/or those secrets and code are shared over multiple devices and threat actors can obtain them, then devices will remain vulnerable past threat disclosure and may have to be removed from operation and replaced with new patched versions.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1329: Reliance on Component That is Not Updateable](https://cwe.mitre.org/data/definitions/1329.html) \n \"The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [Glitching the Switch](https://media.ccc.de/v/c4.openchaos.2018.06.glitching-the-switch) \n The researchers show how they identified an exploitable flaw in the immutable 1st stage boot ROM code of the Nvidia Tegra X1 SoC, which the Nintendo Switch game console is built upon. The secret boot ROM code serves as the root of trust for secure verified boot on the Tegra X1 platform. A buffer overflow vulnerability in the recovery mode of the boot ROM allows a threat actor to bypass firmware verification and execute unauthorize custom or modified firmware on the device. Because the flawed code is stored in unmodifiable memory within the X1 system-on-chip, this vulnerability cannot be patched in hardware revisions that contain it and could only be fixed on newly manufactured Switch consoles.\n\n### Proof of Concept\n\n- [Uprooting Trust: Learnings from an Unpatchable Hardware Root-of-Trust Vulnerability in Siemens S7-1500 PLCs](https://ieeexplore.ieee.org/document/10133438) \n \"The vulnerable ATECC-based RoT hardware implementation is deployed across the Siemens S7-1500 series product line. Because each device is loaded with the exact same cryptographic material used to generate decryption seeds and keys, adversaries may abuse the hardware RoT to decrypt, modify, and re-encrypt firmware for all devices within this family. For example, an ATECC RoT chip may be removed or instrumented from one specific S7-1500 series device, and used to generate valid tampered firmware for a separate device.\"",
"x_mitre_emb3d_threat_id": "TID-220",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--c8299e63-c1ee-4bbc-8486-2e7b5a5d1cad",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.079069Z",
"modified": "2025-04-21T14:20:07.079069Z",
"name": "Authentication Bypass By Message Replay",
"description": "Some devices will allow for authentication over the network, but do not implement mechanisms (i.e. nonces, timestamps) to ensure that messages containing credentials cannot be reused. Devices like these are potentially vulnerable to replay attacks. In these attacks, threat actors may be able to take legitimate packets that were sent over the network, capture them, and send them again to the device. If the device accepts these packets, threat actors may be able to initiate unauthorized actions. Additionally, if threat actors are able to edit the contents of those packets, they can potentially control the device remotely.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-294: Authentication Bypass by Capture-replay](https://cwe.mitre.org/data/definitions/294.html) \n \"A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK T1212 Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212/) \n \"Another example of this is replay attacks, in which the adversary intercepts data packets sent between parties and then later replays these packets. If services don't properly validate authentication requests, these replayed packets may allow an adversary to impersonate one of the parties and gain unauthorized access or privileges.\"",
"x_mitre_emb3d_threat_id": "TID-221",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--643c0c24-0b99-4dc4-9de2-b6d5a30334d9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.079298Z",
"modified": "2025-04-21T14:20:07.079298Z",
"name": "Critical System Service May Be Disabled",
"description": "Various devices and associated services are necessary to support communications and connections on a network. If a key service is disabled, terminated, or reconfigured, a threat actor can disrupt or disable communications on a network. This could occur on various network equipment, such as switches, firewalls, or routers, along with other devices which may have dedicated processes to facilitate communication with specific protocols or physical mediums (e.g., serial).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-306 Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html) \n \"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.\"\n\n- [CWE-15: External Control of System or Configuration Setting](https://cwe.mitre.org/data/definitions/15.html) \n \"One or more system settings or configuration elements can be externally controlled by a user.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Service Stop (T0881)](https://attack.mitre.org/techniques/T0881/)\n\n - [Procedure Example: Industroyer (S0604)](https://attack.mitre.org/software/S0604/) \n \"Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user.\"\n\n - [Procedure Example: Industroyer2 (S1072)](https://attack.mitre.org/software/S1072/) \n \"Industroyer2 has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.\"",
"x_mitre_emb3d_threat_id": "TID-222",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--68ec2b84-ef87-4ee8-b14f-27310bd96240",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.079518Z",
"modified": "2025-04-21T14:20:07.079518Z",
"name": "System Susceptible to RAM Scraping",
"description": "If the threat actor can obtain sufficient privileges on the devices, they may be able to install runtime tools to directly extract the contents of some or all of the system RAM. This can grant the actor access to the internal state of other applications executing on the device as they process potentially sensitive data (e.g., password, keys, credentials, financial data, PII, etc.) even if that data is never committed to storage in a file or database. If the access extends to physical RAM, this can enable the threat actor to bypass other inter-process security boundaries created by the operating system.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) \n \u201cThe product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.\u201d",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [How RAM Scrapers Work: The Sneaky Tools Behind the Latest Credit Card Hacks](https://www.wired.com/2014/09/ram-scrapers-how-they-work/) \n \"There are more than a dozen RAM scrapers sold in the underground market these days. There's Dexter, Soraya, ChewBacca and BlackPOS to name a few... Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card's magnetic stripe. Some scrapers are efficient and grab only the golden numbers the attackers seek; others are more sloppy and grab a lot of dirt with their gold.\"",
"x_mitre_emb3d_threat_id": "TID-223",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4e9d683d-1400-46c3-9cb5-20cf0c3757c6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.079749Z",
"modified": "2025-04-21T14:20:07.079749Z",
"name": "Excessive Access via Software Diagnostic Features",
"description": "If a device has debugging capabilities (e.g., diagnostic tools, debug logs, etc.) that are not authenticated or can be accessed in unintended ways, it may be possible for a threat actor to attach to these debuggers. Debuggers frequently have privileged access, which would give the threat actors increased access over the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1295: Debug Messages Revealing Unnecessary Information](https://cwe.mitre.org/data/definitions/1295.html) \n \"The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK T1623 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1623/) \n \"Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic Unix Shell that can be accessed via the Android Debug Bridge (ADB)\"\n\n### Proof of Concept\n\n- [Hacking an ATM Is Shockingly Easy](https://www.tomsguide.com/us/atm-hack-attack,news-28531.html) \n \u201cYou could just reboot the machine into a debugging or safe mode, which often led to the jackpot. \u2019Setting a different boot mode was possible on 88 percent of ATMs,\u2019 the report said. \u2018In 42 percent of cases, the testers could develop this attack further and eventually withdraw cash.\u2019\u201d",
"x_mitre_emb3d_threat_id": "TID-224",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4611b574-efed-4237-81a4-d9e238fb1ef4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.079969Z",
"modified": "2025-04-21T14:20:07.079969Z",
"name": "Logs can be manipulated on the device",
"description": "Threat actors may try to manipulate logs on the device to evade defenses, confuse incident responders, hide their access techniques, or keep their exploitation methods secret. Threat actors can do this by changing the timestamps on logs, deleting logs entirely, inserting or reporting false logs, restoring the device to a previous state, or factory resetting the device. All of these methods will prevent defenders from obtaining an accurate representation of the current or past state of the device and will make analysis of the device more difficult.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE - CVE-2024-9026](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9026) \n \u201c\u2026 when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.\u201d",
"x_mitre_emb3d_threat_CWEs": "- [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) \n \"The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.\"",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK T1630 Indicator Removal on Host](https://attack.mitre.org/techniques/T1630/) \n The Android malware [Monokle](https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf) has the capability to use incoming cellphone calls to trigger certain events on the device. After receiving the phone call, Monokle will subsequently delete the call record log, thereby making it more difficult to know that an incoming phone call took place or caused an event to occur on the device.",
"x_mitre_emb3d_threat_id": "TID-225",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--68a9740e-95d8-4973-aaaa-e656542eac98",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.08019Z",
"modified": "2025-04-21T14:20:07.08019Z",
"name": "Device leaks security information in logs",
"description": "Some devise will login information that can be exploited by attackers to further their attack against the device or the system in which the device resides. This data can vary, but in general if a device logs any secrets that would break it\u2019s safety, confidentiality, integrity, or availability, a threat actor may be able to use that information to further their goals. For example, if a private key is printed in a debug or event log after generation, threat actors may be able to take the key and use it to decrypt network communications. Another instance is a threat actor being able to take information associated with a core-dump log of a failed process and turn it into an exploit.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2023-51390](https://www.cve.org/CVERecord?id=CVE-2023-51390) \n \u201cjournalpump is a daemon that takes log messages from journald and pumps them to a given output. A logging vulnerability was found in journalpump which logs out the configuration of a service integration in plaintext to the supplied logging pipeline, including credential information contained in the configuration if any. The problem has been patched in journalpump 2.5.0.\u201d\n\n- [CVE-2025-0895](https://www.cve.org/CVERecord?id=CVE-2025-0895) \n \u201cIBM Cognos Analytics Mobile 1.1 for Android could allow a user with physical access to the device, to obtain sensitive information from debugging code log messages.\u201d\n\n- [CVE-2025-26495](https://www.cve.org/CVERecord?id=CVE-2025-26495) \n \u201cCleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.This issue affects Tableau Server: before 2022.1.3, before 2021.4.8, before 2021.3.13, before 2021.2.14, before 2021.1.16, before 2020.4.19.\u201d",
"x_mitre_emb3d_threat_CWEs": "- [CWE-200 Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) \n \u201cThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.\u201d\n\n- [CWE-532 Insertion of Sensitive Information into Log File](https://cwe.mitre.org/data/definitions/532.html) \n \u201cThe product writes sensitive information to a log file.\u201d",
"x_mitre_emb3d_threat_category": "system software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [Uber app (2018)](https://cqr.company/web-vulnerabilities/information-leakage-through-debug-information/) \n \u201cIn 2018, a security researcher found that the Uber app was leaking sensitive data, including secret keys and passwords, through its debugging interface. The researcher was able to use this information to access user data, such as ride histories and payment information.\u201d\n\n- [Tesla electric vehicles (2020)](https://cqr.company/web-vulnerabilities/information-leakage-through-debug-information/) \n \u201cIn 2020, a security researcher discovered that Tesla electric vehicles were leaking sensitive data, including passwords and private keys, through their debugging interface. The researcher was able to use this information to access user data, such as location histories and driving behavior.\u201d",
"x_mitre_emb3d_threat_id": "TID-226",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--635d9915-c996-4044-ad11-1ce3eaec8a1c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.080401Z",
"modified": "2025-04-21T14:20:07.080401Z",
"name": "Applications Binaries Modified",
"description": "A threat actor could modify application-level binaries or libraries on the device to introduce unauthorized code, maintain persistence, or evade detection. This could also include the modification of runtime libraries used to support the execution of programs, along with key PLC function blocks used to structure the execution of application function blocks, such as organizational blocks.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html) \n \"The product does not perform an authorization check when an actor attempts to access a resource or perform an action.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Modify Controller Tasking (T0821),](https://attack.mitre.org/techniques/T0821/) [Procedure Example: Stuxnet (S0603) \n ](https://attack.mitre.org/software/S0603/)\"Stuxnet infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1.\"",
"x_mitre_emb3d_threat_id": "TID-301",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.080623Z",
"modified": "2025-04-21T14:20:07.080623Z",
"name": "Install Untrusted Application",
"description": "A threat actor can install a malicious program to the device to manipulate its operations or prevent the device from operating as expected. Devices can utilize a variety of different approaches to support the download, modification, and execution of programs/logic. For example, some devices might support program downloads through traditional operating system interfaces (e.g., Telnet, SSH, RDP), while other devices, such as PLCs, often use proprietary interfaces to deploy and execute IEC 61131 based logic programs. Devices are often dependent on a remote system, such as a Windows workstations, with a vendor-specific application program or IDE to develop and transfer the programs to the device. However, devices often assume that all code originates from that trusted program/IDE and therefore do not perform any integrity checking of the code before downloading or executing it.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-494: Download of Code Without Integrity Check](https://cwe.mitre.org/data/definitions/494.html) \n \"The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Program Download (T0843)](https://attack.mitre.org/techniques/T0843/)\n\n - [Procedure Example: Triton (S1009)](https://attack.mitre.org/software/S1009/) \n \"Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System\".\n\n - [Procedure Example: Incontroller (S1045)](https://attack.mitre.org/software/S1045/) \n \u201cThe Incontroller software was able to perform program downloads to a controller through a self-contained API.\u201d",
"x_mitre_emb3d_threat_id": "TID-302",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--4d11522b-19e6-4989-aad4-bce1378ad2ad",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.080854Z",
"modified": "2025-04-21T14:20:07.080854Z",
"name": "Excessive Trust in Offboard Management/IDE Software",
"description": "If device management is intended to be performed by a dedicated engineering software platform or integrated development environment (IDE), the threat actor could potentially modify the software platform, such as by manipulating key .dlls, to install malicious code or manipulate the operation of the device. This can provide the threat actor with a mechanism to bypass protections/countermeasures.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2022-1159](https://www.cve.org/CVERecord?id=CVE-2022-1159) \n \"Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-114: Process Control (Class)](https://cwe.mitre.org/data/definitions/114.html) \n \"Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Rootkit (T0851)](https://attack.mitre.org/techniques/T0851/)\n\n - [Procedure Example: Stuxnet (S0603)](https://attack.mitre.org/software/S0603/) \n \u201cStuxnet has the capability, through malicious .DLLs, to intercept read requests and write requests, include those the could overwrite code on the device\u201d\n\n### Proof of Concept\n\n- [Applying a Stuxnet Type Attack to a Modicon PLC](https://web.archive.org/web/20240227113019/https:/www.cyber.airbus.com/applying-a-stuxnet-type-attack-to-a-modicon-plc-2/) \n \"Implementing Stuxnet type attacks on PLC\u2019s from other manufacturers is possible. In the case of the Modicon M340, this porting is easier because the PLC executes ARM bytecode natively (and not proprietary assembly code). \n This exercise gives us the opportunity to extend M340 functionality by developing automation code directly in C. Now we can perform low level actions which are very difficult to do with other languages (e.g Ladder, Grafcet). \n We developed a program that allows the changing of logical programs on the fly (no need for recompilation \u2013 stop \u2013 upload \u2013 start steps in Unity)\"\n\n- [The Old Switcheroo: Hiding Code on Rockwell Automation PLCs](https://claroty.com/team82/research/hiding-code-on-rockwell-automation-plcs) \n \"Team82 decided to test for these Stuxnet-type of attacks on the Rockwell Automation PLC platform. Our research uncovered two vulnerabilities that expose the company's Logix Controllers and Logix Designer application for engineering workstations to attacks that allow threat actors to stealthily modify automation processes. \n Programmable logic and predefined variables drive these processes, and changes to either will alter normal operation of the PLC and the process it manages. An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility.\"",
"x_mitre_emb3d_threat_id": "TID-303",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.081064Z",
"modified": "2025-04-21T14:20:07.081064Z",
"name": "Manipulate Runtime Environment",
"description": "A threat actor can manipulate the runtime environments on a device to maintain persistence on the device and overwrite various functionalities, such as protocol handlers. If the application program (which the threat actor can deploy on the device through a program download) has access to memory where the runtime environment and libraries are located, they could overwrite these libraries with malicious code. This is especially risky because runtime environments often must allow the dynamic addition of modules/functions to support user-specific customization or configuration of devices, which may require that the runtime support writeable memory.\n\nNOTE: This differs from TID-305 because this threat has a focus on code being used to manipulate the device runtime environment itself. TID-305 on the other hand pertains to a malicious program itself being used to perform device actions.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CODESYS Security Advisory 2023-04](https://cert.vde.com/en/advisories/VDE-2023-025/) ([CVE-2022-4046](https://www.cve.org/CVERecord?id=CVE-2022-4046), [CVE-2023-28355](https://www.cve.org/CVERecord?id=CVE-2023-28355)) \n \"The CODESYS Control V3 runtime system does not restrict the memory accesses of the PLC application code to the PLC application data and does not sufficiently check the integrity of the application code by default. This could be exploited by authenticated PLC programmers.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](https://cwe.mitre.org/data/definitions/119.html) \n \"The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Security Issues In Compiled PLC Logic (CoDeSys & ProConOs)](https://www.youtube.com/watch?v=3QGVlatumEc) \n At S4x23, Reid Wightman demonstrated that if memory space is shared between program runtime, program logic, and other device functions such as network handling, it is possible to create malicious programs that can manipulate a device's runtime environment from the application program.",
"x_mitre_emb3d_threat_id": "TID-304",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--bd5fb5e9-71b7-4817-acc7-349303f95aed",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.081274Z",
"modified": "2025-04-21T14:20:07.081274Z",
"name": "Program Executes Dangerous System Calls",
"description": "If the device allows the downloading and execution of native binaries on the device, a threat actor can deploy a malicious program that leverages the environment's privileges to gain unwanted or excessive access to the device, such as through \"dangerous\" system calls. These system calls could be used to manipulate the device's firmware, maintain persistence, execute unwanted logic, or obtain a C2 channel.\n\nAdditionally, the device may assume the program comes from a trusted integrated development environment (IDE), and therefore does not restrict the privileges or system calls the program can access. However, if the threat actor compiles the program without the IDE, they can violate this assumption.\n\nNOTE: This differs from TID-304 because this threat has a focus on a malicious program itself being used to perform device actions. TID-304 on the other hand pertains to code being used to manipulate the device runtime environment itself.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2018-8872](https://www.cve.org/CVERecord?id=CVE-2018-8872) \n \"In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow attacker data to be copied anywhere within memory.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-250: Execution with Unnecessary Privileges (Base)](https://cwe.mitre.org/data/definitions/250.html) \n \"The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Exploitation for Privilege Escalation (T0890)](https://attack.mitre.org/techniques/T0890/) \u2013 [Procedure Example: Triton (S1009)](https://attack.mitre.org/software/S1009/) \n \"Triton leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges.\"\n\n- [ATT&CK Technique: Native API (T0834)](https://attack.mitre.org/techniques/T0834/) \u2013 [Procedure Example: Stuxnet (S0603)](https://attack.mitre.org/software/S0603/) \n \"Stuxnet calls system function blocks which are part of the operating system running on the PLC. They\u2019re used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly.\"",
"x_mitre_emb3d_threat_id": "TID-305",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9f65791a-cb28-4dde-b903-3885e40d8f64",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.081466Z",
"modified": "2025-04-21T14:20:07.081466Z",
"name": "Sandboxed Environments Escaped",
"description": "While restricting the execution of external programs within a sandboxed execution environment can mitigate the threat of programs having excessive privileges or memory access, vulnerabilities within that environment could be exploited to escape the sandbox. This would allow the threat actor to escalate their privileges to more broadly manipulate the device's operation and evade detections.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2020-15782](https://www.cve.org/CVERecord?id=CVE-2020-15782) \n \"A vulnerability has been identified in \\[Siemens devices\\]... Affected devices are vulnerable to a memory protection bypass through a specific operation. A remote unauthenticated attacker with network access to port 102/tcp could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-693: Protection Mechanism Failure](https://cwe.mitre.org/data/definitions/693.html) \n \"The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [The Race to Native Code Execution in PLCs](https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs) \n Claroty demonstrated in their research that it was possible to break out of the runtime environment on a PLC and execute code natively in protected areas of memory. \"Escaping the sandbox means an attacker would be able to read and write from anywhere on the PLC, and could patch an existing VM opcode in memory with malicious code to root the device.\"",
"x_mitre_emb3d_threat_id": "TID-306",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--c98bbe9f-e478-40d5-b585-cc1bc83c8105",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.081681Z",
"modified": "2025-04-21T14:20:07.081681Z",
"name": "Device Code Representations Inconsistent",
"description": "Many devices that allow the execution of custom application programs, such as IEC 61131 based programs, also support \"program uploads\" to extract the running code from the device for various diagnostic functions. To support the program upload function, the device must provide the IDE with machine readable and human-presentable source code, rather than the executable compiled code. Therefore, the device must store two copies of the code, the source code (used to inform program upload function) and the executed compiled code. If a threat actor can modify the source code in memory, it will prevent the program upload function from accurately uploading/reporting the actual code executing on the device and allow any later downloaded malicious code to stay undetected.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2022-1161](https://www.cve.org/CVERecord?id=CVE-2022-1161) \n \"An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-829: Inclusion of Functionality from Untrusted Control Sphere](https://cwe.mitre.org/data/definitions/829.html) \n \"The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [The Old Switcheroo: Hiding Code on Rockwell Automation PLCs](https://claroty.com/team82/research/hiding-code-on-rockwell-automation-plcs) \n Claroty researchers were able to edit the code representation that gets uploaded to the EWS during a program upload without having their malicious machine-code also getting uploaded. This resulted in operators seeing code after the program upload that wasn't the actual code on the machine, which was the Claroty malicious machine code.",
"x_mitre_emb3d_threat_id": "TID-307",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--1f94d3f8-d111-463e-afe3-1779ea76b7dd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.081892Z",
"modified": "2025-04-21T14:20:07.081892Z",
"name": "Code Overwritten to Avoid Detection",
"description": "The threat actor can overwrite a previously deployed/installed malicious program with a dummy program in order to evade the detection of the malicious program. This can be used to prevent detection by monitoring tools or engineering software that performs periodic \"Program Uploads\" to inspect the contents of a program on the device.\n\nWhile some devices utilize error detection codes, such as CRCs or Checksums, these are not cryptographically strong and a threat actor can easily generate a program with the same CRC/Checksum (i.e., by simply padding the program).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-223: Omission of Security-relevant Information](https://cwe.mitre.org/data/definitions/223.html) \n \"The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.\"\n\n- [CWE-778: Insufficient Logging](https://cwe.mitre.org/data/definitions/778.html) \n \"When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Indicator Removal on Host (T0872)](https://attack.mitre.org/techniques/T0872/) \u2013 [Procedure Example: Triton (S1009)](https://attack.mitre.org/software/S1009/) \n \"Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.\"",
"x_mitre_emb3d_threat_id": "TID-308",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--7d38e8f0-09a8-45f2-afbe-62fb6d20a1f3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.082099Z",
"modified": "2025-04-21T14:20:07.082099Z",
"name": "Device Exploits Engineering Workstation",
"description": "If the integrated development environment (IDE) or vendor software that is used to manage a device is not sufficiently secure, it could be exploited or crashed when it connects to the device, such as during a file transfer or program upload. A threat actor could use a compromised device, such as a PLC, to exploit a vulnerability within the engineering software/IDE used to manage that device. This could be used to (i) gain unauthorized access to the workstation, (ii) perform a DoS on the workstation, or (iii) propagate to other devices managed by that workstation.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2021-22289](https://www.cve.org/CVERecord?id=CVE-2021-22289) \n \"Improper Input Validation vulnerability in the project upload mechanism in B&R Automation Studio version \\>4.0 may allow an unauthenticated network attacker to execute code.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-20: Improper Input Validation](https://cwe.mitre.org/data/definitions/20.html) \n \"The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [EVIL PLC ATTACK: WEAPONIZING PLCS](https://claroty.com/team82/research/white-papers/evil-plc-attack-weaponizing-plcs) \n Claroty was able to install a malicious program on the PLC that would infect a connected EWS upon a program upload. In some cases, they were able to achieve arbitrary code execution on the EWS.\n\n- [Denial of Engineering Operations Attacks in Industrial Control Systems](https://cs.uno.edu/~irfan/publications/acm-codaspy-2018.pdf) \n \"Specifcally, the attacker can deceive the engineering software during attempts to retrieve the ladder logic program from a programmable logic controller (PLC) by manipulating the ladder logic on the PLC, such that the software is unable to process it while the PLC continues to execute it successfully. This attack vector can provide sufficient cover for the attacker\u2019s actual scenario to play out while the owner tries to understand the problem and reestablish positive operational control.\"",
"x_mitre_emb3d_threat_id": "TID-309",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--6317d395-281c-4677-b1a3-33e588cde84a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.082327Z",
"modified": "2025-04-21T14:20:07.082327Z",
"name": "Remotely Accessible Unauthenticated Services",
"description": "If an application does not authenticate all connections from a remote device or system, a threat actor can remotely establish a connection to the device to access confidential data or make unwanted changes to device status or configuration. Many popular protocols, such as FTP, Telnet, and HTTP, provide some support for authentication but are often implemented without enabling it. Authentication is critical for any remote services that supports configuration changes, enables access to sensitive data, or that can change operational functions.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-285: Improper Authorization](https://cwe.mitre.org/data/definitions/285.html) \n \"The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Unauthorized Command Message (T0855)](https://attack.mitre.org/techniques/T0855/) \u2013 [Procedure Example: Industroyer (S0604)](https://attack.mitre.org/software/S0604/) \n \"Using its protocol payloads, Industroyer sends unauthorized commands to RTUs to change the state of equipment.\"\n\n- [ATT&CK Technique: Unauthorized Command Message (T0855)](https://attack.mitre.org/techniques/T0855/) \u2013 [Procedure Example: Industroyer2 (S1072)](https://attack.mitre.org/software/S1072/) \n \"Industroyer2 is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.\"",
"x_mitre_emb3d_threat_id": "TID-310",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--e5f90347-e6a0-412e-ab54-18aa1185ef09",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.082542Z",
"modified": "2025-04-21T14:20:07.082542Z",
"name": "Default Credentials",
"description": "Devices often include default credentials from the vendor. Default credentials can be changed but are often overlooked when devices are commissioned. If left unchanged, a threat actor may discover and use these credentials to gain unauthorized access to the device. Non-unique or predictable default credentials can lead to device compromise.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [ICEFALL](https://www.forescout.com/resources/ot-icefall-report/) - [CVE-2022-29962](https://www.cve.org/CVERecord?id=CVE-2022-29962) \n \"The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. FTP has hardcoded credentials (but may often be disabled in production).\"\n\n- [CVE-2021-22681](https://www.cve.org/CVERecord?id=CVE-2021-22681), [CISA Alert](https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03) \n A hardcoded key in the Studio 5000 Logix Designer software and related PLCs would allow actors who can extract the key from the software to authenticate to controllers without going through the software or normal authentication process.",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1392: Use of Default Credentials (Base)](https://cwe.mitre.org/data/definitions/1392.html) \n \"The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.\"\n\n- [CWE-1393: Use of Default Password (Base)](https://cwe.mitre.org/data/definitions/1393.html) \n \"The product uses default passwords for potentially critical functionality.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a) \n \"Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices.\"",
"x_mitre_emb3d_threat_id": "TID-311",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--85204183-21e8-44d9-bd71-a7928eb8736f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.08277Z",
"modified": "2025-04-21T14:20:07.08277Z",
"name": "Credential Change Mechanism Can Be Abused",
"description": "A device's credential change mechanisms can be abused to lock out users from their own devices by changing credentials to something unknown to the legitimate user. This could impair the legitimate user from accessing the device and may also render the device permanently inoperable. This could also be coupled with unwanted device configuration changes before the user is locked out.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Kunbus PR100088 Modbus Gateway (Update B) \\| CISA](https://www.cisa.gov/news-events/ics-advisories/icsa-19-036-05) ([CVE-2019-6527](https://www.cve.org/CVERecord?id=CVE-2019-6527)) \n \"PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166) may allow an attacker to be able to change the password for an admin user who is currently or previously logged in, provided the device has not been restarted.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-645: Overly Restrictive Account Lockout Mechanism (Base)](https://cwe.mitre.org/data/definitions/645.html) \n \"The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Change Credential (T0892)](https://attack.mitre.org/techniques/T0892/) \n \u201cA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key.\u201d\n\n- [ATT&CK Technique: Account Access Removal (T1531)](https://attack.mitre.org/techniques/T1531/) \n \"Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\"",
"x_mitre_emb3d_threat_id": "TID-312",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--aa091fdb-adaa-4e89-a8c3-c40784fb73a1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.082994Z",
"modified": "2025-04-21T14:20:07.082994Z",
"name": "Unauthenticated Session Changes Credential",
"description": "A threat actor can change or reset a password or credential without being authenticated. This can be used by a threat actor to set the credential to a known value and then use this to authenticate to the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Kunbus PR100088 Modbus Gateway (Update B) \\| CISA](https://www.cisa.gov/news-events/ics-advisories/icsa-19-036-05) \u2013 ([CVE-2019-6527](https://www.cve.org/CVERecord?id=CVE-2019-6527)) \n \"An attacker may be able change the password for an admin user who is currently or previously logged in, provided the device has not been restarted.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html) \n \"When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [ATT&CK Technique: Create Account: Local Account (T1136.001)](https://attack.mitre.org/techniques/T1136/001/) \n \"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\"",
"x_mitre_emb3d_threat_id": "TID-313",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--825299f4-1bab-4682-82ba-450bfb7641d1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.083217Z",
"modified": "2025-04-21T14:20:07.083217Z",
"name": "Passwords Can Be Guessed Using Brute-Force Attempts",
"description": "A threat actor could gain unauthorized access by continually guessing passwords. This could be because the device allows passwords with insufficient entropy, short password lengths, or does not have a mechanism to increase the time it takes to randomly guess passwords, such as password lockouts or cooldowns between guesses.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-334: Small Space of Random Values](https://cwe.mitre.org/data/definitions/334.html) \n \"The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.\"\n\n- [CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html) \n \"The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [APT Cyber Tools Targeting ICS/SCADA Devices](https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-103a) \n \"Brute-force Schneider Electric PLC passwords using CODESYS and other available device protocols via UDP port 1740 against defaults or a dictionary word list (Note: this capability may work against other CODESYS-based devices depending on individual design and function, and this report will be updated as more information becomes available);\"",
"x_mitre_emb3d_threat_id": "TID-314",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9ee0cfb0-5e71-47be-8576-de8802eb6b7e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.083432Z",
"modified": "2025-04-21T14:20:07.083432Z",
"name": "Password Retrieval Mechanism Abused",
"description": "If the device includes a password retrieval mechanism, a threat actor could use that mechanism to retrieve a valid credential and then access the device. Password retrieval functions are typically intended to be used to support access from dedicated device management tools, but these functions may be reverse engineered and then initiated by the threat actor to gain valid credentials on a device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2022-2003](https://www.cve.org/CVERecord?id=CVE-2022-2003) \n \"The product is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes.\"\n\n- [ICEFALL](https://www.forescout.com/resources/ot-icefall-report/) \u2013 [CVE-2022-31205](https://www.cve.org/CVERecord?id=CVE-2022-31205) \n \"The password to access the Web UI can be read from memory using the Omron FINS protocol without any further authentication.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html) \n \"The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [AutomationDirect DirectLOGIC with Serial Communication - CVE-2022-2003](https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-02), [Research By Sam Hanson of Dragos](https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/) \n \"The product is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes.\"",
"x_mitre_emb3d_threat_id": "TID-315",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--6f00418f-9859-4fce-966f-ffa7a4913525",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.083657Z",
"modified": "2025-04-21T14:20:07.083657Z",
"name": "Incorrect Certificate Verification Allows Authentication Bypass",
"description": "Certificate-based authentication depends on the correct parsing and validation of an X.509 certificate. However, if the certificate is not properly parsed and all fields are not validated, a threat actor could potentially bypass authentication using a fraudulent certificate.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability](https://blog.talosintelligence.com/wolfssl-x509-vuln/) \n \"Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.\"\n\n- [Siemens RuggedCom ROX-based Devices Certificate Verification Vulnerability and GnuTLS Certificate Error handling Vulnerability](https://www.cisa.gov/news-events/ics-advisories/icsa-14-135-03a) - [CVE-2014-0092](https://www.cve.org/CVERecord?id=CVE-2014-0092) \n \"lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-295: Improper Certificate Validation](https://cwe.mitre.org/data/definitions/295.html) \n \"The product does not validate, or incorrectly validates, a certificate.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [CVE-2020-0601](https://www.cve.org/CVERecord?id=CVE-2020-0601) \n \"Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The vulnerability is also known under the moniker of CurveBall.\"\n\n- [CVE-2023-41991](https://www.cve.org/CVERecord?id=CVE-2023-41991) \n \"Apple iOS, iPadOS, macOS, and watchOS contain an improper certificate validation vulnerability that can allow a malicious app to bypass signature validation.\"",
"x_mitre_emb3d_threat_id": "TID-316",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--13394383-1d88-4ee4-b2b9-0f26fc03a657",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.083872Z",
"modified": "2025-04-21T14:20:07.083872Z",
"name": "Predictable Cryptographic Key",
"description": "If the device does not generate sufficiently random cryptographic primitives, a threat actor could predict or brute-force guess a key to either gain unauthorized access to the device or decrypt a connection. Cryptographic keys that are not generated with random \"seed\" information, including from Pseudo-Random Number Generators (PRNG), will lack sufficient entropy. For example, researchers have demonstrated that a large number of Internet exposed devices with TLS or SSH services utilized the same RSA moduli, which could be then used to determine the device's private key and then used to remotely authenticate with the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Honeywell OneWireless Wireless Device Manager \\| CISA](https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06) - [CVE-2022-43485](https://www.cve.org/CVERecord?id=CVE-2022-43485) \n \"Use of Insufficiently Random Values in Honeywell OneWireless. This vulnerability may allow attacker to manipulate claims in client's JWT token. This issue affects OneWireless version 322.1\"\n\n- [Tropos Wireless Mesh Routers \\| CISA](https://www.cisa.gov/news-events/ics-advisories/icsa-12-297-01) - [CVE-2012-4898](https://www.cve.org/CVERecord?id=CVE-2012-4898) \n \"Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-331: Insufficient Entropy (Base)](https://cwe.mitre.org/data/definitions/331.html) \n \"The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.\"\n\n- [CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (Base)](https://cwe.mitre.org/data/definitions/338.html) \n \"The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Heninger, N. et al. \"Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices\"](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf) \n Researchers demonstrated that many internet connected devices had insufficient randomness in their TLS certificates. Additionaly, many of these devices had the same key as other devices. Lastly, for some of these keys, it was possible for researchers to derive private keys.",
"x_mitre_emb3d_threat_id": "TID-317",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--d0ee8c9b-3b69-450d-897c-f1cb463bcb47",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.084097Z",
"modified": "2025-04-21T14:20:07.084097Z",
"name": "Insecure Cryptographic Implementation",
"description": "The device uses a cryptographic library or implementation that either introduces an additional software vulnerability within the library. A threat actor can exploit these weaknesses or vulnerabilities to gain unauthorized access to the device or bypass the protections provided by the cryptographic protocol.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Heartbleed Bug and Subsequent Exploitation](https://heartbleed.com/) \u2013 [CVE-2014-0160](https://www.cve.org/CVERecord?id=CVE-2014-0160) \n \"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.\"\n\n- [Siemens RuggedCom ROX-based Devices Certificate Verification Vulnerability and GnuTLS Certificate Error handling Vulnerability](https://www.cisa.gov/news-events/ics-advisories/icsa-14-135-03a) \u2013 [CVE-2014-0092](https://www.cve.org/CVERecord?id=CVE-2014-0092) \n \"lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation](https://cwe.mitre.org/data/definitions/1240.html) \n \"To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs](https://www.mandiant.com/resources/blog/attackers-exploit-heartbleed-openssl-vulnerability) \n \"Beginning on April 8, an attacker leveraged the Heartbleed vulnerability against a VPN appliance and hijacked multiple active user sessions. Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users. With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated. The attack bypassed both the organization's multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.\"",
"x_mitre_emb3d_threat_id": "TID-318",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--7db512d9-bbe1-4d46-a0fe-6cbeb7050f2f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.084314Z",
"modified": "2025-04-21T14:20:07.084314Z",
"name": "Cross Site Scripting (XSS)",
"description": "The device does not properly restrict, filter, or validate the content of web-based requests or outputs, especially content used to construct HTTP or JavaScript elements within a web page. A threat actor can add malicious JavaScript to an HTTP request, including through a GET/POST parameter or HTTP header fields, which then executes on the browser of an unsuspecting user. The malicious JavaScript can then be used to steal session tokens or send malicious requests (especially leveraging XMLHttpRequest) to change device configurations or data.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [NetComm Wireless 4G LTE Light Industrial M2M Router](https://www.cisa.gov/news-events/ics-advisories/icsa-18-221-02) - [CVE-2018-14784](https://www.cve.org/CVERecord?id=CVE-2018-14784) \n \"The device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device.\"\n\n- [Siemens SIMATIC S7-1500 CPU Firmware Vulnerabilities, CISA](https://www.cisa.gov/news-events/ics-advisories/icsa-14-073-01) \u2013 [CVE-2014-2246](https://www.cve.org/CVERecord?id=CVE-2014-2246) \n \"The integrated web server may ... be vulnerable to cross-site request forgery (CSRF), cross-site scripting (XSS), header injection, and open redirect attacks as well as privilege escalation.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (Base)](https://cwe.mitre.org/data/definitions/79.html) \n \"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [ATT&CK Technique: Drive-by Compromise (T1189)](https://attack.mitre.org/techniques/T1189/) \n \"Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including: A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\"",
"x_mitre_emb3d_threat_id": "TID-319",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--f04ee0a2-161f-42dd-a886-0f7cb99cb61a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.084544Z",
"modified": "2025-04-21T14:20:07.084544Z",
"name": "SQL Injection",
"description": "The device does not property restrict, filter, or validate the content of web-based requests, especially content used to construct SQL commands or HTTP pages. A threat actor can add malicious content to these messages to cause unwanted code to execute on the device. SQL injection can be used to execute unauthorized commands (e.g., xp_cmdshell), or to manipulate or extract sensitive data within the database.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CSWorks Software SQL Injection Vulnerability, CISA](https://www.cisa.gov/news-events/ics-advisories/icsa-14-135-01) - [CVE-2014-2351](https://www.cve.org/CVERecord?id=CVE-2014-2351) \n \"The CSWorks software does not properly sanitize or validate the data used to construct read and write paths, which may make applications built with the affected product to be susceptible to an SQL injection attack. Depending on the intended use of the application, an attacker may be able to exploit this vulnerability to achieve remote code execution.\"\n\n- [Navis WebAccess SQL Injection Vulnerability, CISA](https://www.cisa.gov/news-events/ics-advisories/icsa-16-231-01) \u2013 [CVE-2016-5817](https://www.cve.org/CVERecord?id=CVE-2016-5817) \n \"The WebAccess application does not properly sanitize input that may allow a remote attacker to read, modify, and affect availability of data in the SQL database.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](https://cwe.mitre.org/data/definitions/89.html) \n \"The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [ATT&CK Technique: Server Software Component: SQL Stored Procedures (T1505.001)](https://attack.mitre.org/techniques/T1505/001/) \u2013 [Procedure Example: Stuxnet (S0603)](https://attack.mitre.org/software/S0603/) \n \"Stuxnet used xp_cmdshell to store and execute SQL code.\"\n\n- [ATT&CK Technique: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/) \n Various threat actors have leveraged SQL injection to gain initial access to publicly facing web applications, including APT28, APT 39, and DragonFly.",
"x_mitre_emb3d_threat_id": "TID-320",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--8b6a20c9-ae6e-4bae-9ae7-7486986a3fd0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.084775Z",
"modified": "2025-04-21T14:20:07.084775Z",
"name": "HTTP Application Session Hijacking",
"description": "A threat actor can hijack an insufficiently protected HTTP session token to gain unauthorized access to a device. HTTP session tokens can be obtained by a threat actor if they're sent unencrypted over the network or if the site is vulnerable to cross-site scripting (XSS).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Siemens SICAM Q100](https://www.cisa.gov/news-events/ics-advisories/icsa-22-314-11) - [CVE-2022-43398](https://www.cve.org/CVERecord?id=CVE-2022-43398) \n Siemens SICAM Q100 devices does not renew session tokens/cookies between logins.\n\n- [MOXA NPort IAW5000A-I/O Series](https://www.cisa.gov/news-events/ics-advisories/icsa-20-287-01) - [CVE-2020-25198](https://www.cve.org/CVERecord?id=CVE-2020-25198) \n The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a session and hijack it by stealing the user\u2019s cookies.",
"x_mitre_emb3d_threat_CWEs": "- [CWE-384: Session Fixation (Composite)](https://cwe.mitre.org/data/definitions/384.html) \n \"Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [ATT&CK T1539 Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539/) \n \"An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.\"",
"x_mitre_emb3d_threat_id": "TID-321",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--8b0a83f2-9988-48a7-be05-b6e17d77d19e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.08501Z",
"modified": "2025-04-21T14:20:07.08501Z",
"name": "Cross Site Request Forgery (CSRF)",
"description": "If a threat actor can include malicious JavaScript within a page viewed by a legitimate device user, that script can send malicious authenticated HTTP requests (using XMLHttpRequest) to the device. Due to the Same Origin Policy defined by most web browsers, the HTTP requests sent to the device will include any valid session tokens the user/browser has previously established for that device. Therefore, this could be used to send malicious requests to a device to change key functions or configurations, including changing device credentials. This requires that the threat actor tricks the user into viewing another page while they have an authenticated session with the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [XZERES 442SR Wind Turbine CSRF Vulnerability](https://www.cisa.gov/news-events/ics-advisories/icsa-15-155-01) - [CVE-2015-3950](https://www.cve.org/CVERecord?id=CVE-2015-3950) \n \"The 442SR OS recognizes both the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to be changed. The default user has admin rights to the entire system.\"\n\n- [Fox DataDiode Proxy Server CSRF Vulnerability](https://www.cisa.gov/news-events/ics-advisories/icsa-14-269-02) - [CVE-2014-2358](https://www.cve.org/CVERecord?id=CVE-2014-2358) \n \"The administrative web interface of the Fox DataDiode proxy server is vulnerable to CSRF. By changing the configuration, the attacker can effectively disrupt the flow of information through the Fox DataDiode, resulting in a DoS.\"\n\n- [Siemens SIMATIC S7-1200 CSRF Vulnerability](https://www.cisa.gov/news-events/ics-advisories/icsa-15-239-02) - [CVE-2015-5698](https://www.cve.org/CVERecord?id=CVE-2015-5698) \n \"The integrated web server (Port 80/TCP and Port 443/TCP) of the affected programmable logic controllers (PLCs) could allow remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request.\"\n\n- [Schneider Electric ION Power Meter CSRF Vulnerability](https://www.cisa.gov/news-events/ics-alerts/ics-alert-16-256-02) \u2013 [CVE-2016-5809](https://www.cve.org/CVERecord?id=CVE-2016-5809) \n \"NCCIC/ICS-CERT is aware of a public report of a cross site request forgery (CSRF) vulnerability with proof-of-concept (PoC) exploit code affecting Schneider Electric\u2019s ION Power Meter products. According to this report, exploitation of this vulnerability can allow unauthorized actions on the device, such as configuration parameter changes and saving modified configuration.\"\n\n- [NetComm Wireless 4G LTE Light Industrial M2M Router](https://www.cisa.gov/news-events/ics-advisories/icsa-18-221-02) - [CVE-2018-14783](https://www.cve.org/CVERecord?id=CVE-2018-14783) \n \"A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-352: Cross-Site Request Forgery (CSRF) (Compound)](https://cwe.mitre.org/data/definitions/352.html) \n \"The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [Router Exploit Kits: An overview of RouterCSRF attacks and DNS hijacking in Brazil](https://decoded.avast.io/threatintel/router-exploit-kits-an-overview-of-routercsrf-attacks-and-dns-hijacking-in-brazil/) \n \"From February 1 until March 30, 2019, Avast\u2019s Web Shield blocked more than 4.6 million cross-site request forgery (CSRF) web-based attacks in Brazil, attempting to silently modify DNS settings on routers.\"\n\n- [Web-based attack targeting home routers, the Brazilian way](https://securelist.com/web-based-attack-targeting-home-routers-the-brazilian-way/66358/) \n \"We spotted an interesting attack from Brazilian bad guys aiming to change the DNS settings of home routers by using a web-based attack, some social engineering, and malicious websites. In these attacks the malicious DNS servers configured in the user\u2019s network device are pointed towards phishing pages of Brazilian Banks, programmed to steal financial credentials.\"",
"x_mitre_emb3d_threat_id": "TID-322",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--79e6a926-00d3-4da4-ba37-f23ac4c28b69",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.08526Z",
"modified": "2025-04-21T14:20:07.08526Z",
"name": "Path Traversal",
"description": "A threat actor can send requests for files or content that resides in different directories from those intended to be accessible by the web server. This can be used to gain access to data that is not intended to be remotely accessible through the web servers, such as files from the operating system or other applications. This threat is primarily a result of the web server having excessive privileges regarding files and directories on the device",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2023-39810](https://www.cve.org/CVERecord?id=CVE-2023-39810) \n \"An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.\"\n\n- [IDS RTU 850 Directory Traversal Vulnerability](https://www.cisa.gov/news-events/ics-advisories/icsa-15-148-01) - [CVE-2015-3939](https://www.cve.org/CVERecord?id=CVE-2015-3939) \n \"Using this vulnerability, an attacker is able to access some files from the internal service interface of the communication module. One of the accessible files contains the credentials (passwords) to access the internal service interface via telnet.\"\n\n- [Honeywell XL Web Controller Directory Traversal Vulnerability](https://www.cisa.gov/news-events/ics-advisories/icsa-15-076-02) - [CVE-2015-0984](https://www.cve.org/CVERecord?id=CVE-2015-0984) \n \"By using a directory traversal vulnerability in the FTP server, it is possible to gain access to the web root directory.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) \n \"The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [CVE-2018-13379](https://www.cve.org/CVERecord?id=CVE-2018-13379) \n \"An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.\"",
"x_mitre_emb3d_threat_id": "TID-323",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--f5715798-c7aa-4d82-805a-1ad6308a5983",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.085484Z",
"modified": "2025-04-21T14:20:07.085484Z",
"name": "HTTP Direct Object Reference",
"description": "If a device does not properly authenticate all HTTP requests, a threat actor can directly send a request to a specific URL to access data or initiate a device function. This could be used to access/download sensitive data or perform unwanted changes to settings or functions on a device. This typically requires that the threat actor directly knows the URL of the specific file/object/page, rather than depending on the existing links provided by the web application. This is especially problematic for files hosted on a web server (e.g., txt, pdf) since the authentication mechanisms provided by the web application framework may not enforce access controls on those files.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Iagona ScrutisWeb](https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03) - [CVE-2023-38257](https://www.cve.org/CVERecord?id=CVE-2023-38257) \n \"Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insecure direct object reference vulnerability that could allow an unauthenticated user to view profile information, including user login names and encrypted passwords.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html) \n \"The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- \\[KEV\\] [Telerik UI for ASP.NET AJAX - Insecure Direct Object Reference in RadAsyncUpload](https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/asyncupload-insecure-direct-object-reference) \u2013 [CVE-2017-11357](https://www.cve.org/CVERecord?id=CVE-2017-11357) \n \"Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution.\"",
"x_mitre_emb3d_threat_id": "TID-324",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--d48175e7-c5bd-47ff-9fe0-35cd6d54fe9c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.085718Z",
"modified": "2025-04-21T14:20:07.085718Z",
"name": "HTTP Injection/Response Splitting",
"description": "The device uses HTTP headers that are unencrypted, not-validated, and/or unauthenticated. This means that the device may accept and process arbitrary data coming to the receiving web-server over the network. Threat actors may therefore be able to inject their own information into the header, possibly using their input to get more information than they should have access to or exploiting a vulnerability on the receiving device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Cogent DataHub XSS and CRLF](https://www.cisa.gov/news-events/ics-advisories/icsa-12-016-01) - [CVE-2012-0310](https://www.cve.org/CVERecord?id=CVE-2012-0310) \n \"An HTTP header injection vulnerability (also known as carriage return line feed) exists in the Cogent DataHub application as the product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')](https://cwe.mitre.org/data/definitions/113.html) \n \"The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [\u201cDivide and Conquer\u201d: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics White paper](https://dl.packetstormsecurity.net/papers/general/whitepaper_httpresponse.pdf) \n This white paper describes the outlines of how an HTTP Response Splitting attack can take place, the follow-up attacks that are possible, and the impact they can have on machines. He conducts sample attacks in a lab environment.",
"x_mitre_emb3d_threat_id": "TID-325",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--b5e980ce-bb43-43ec-802c-25907e355e99",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.085953Z",
"modified": "2025-04-21T14:20:07.085953Z",
"name": "Insecure Deserialization",
"description": "Many object-oriented languages use serialization to convert class objects into byte strings for more efficient storage or transmission. However, if an untrusted byte string is deserialized without properly validating its contents, it could be used to exploit a vulnerability in the associated library. A threat actor could send a maliciously crafted serialized object to a device to exploit a deserialization vulnerability within a device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Rockwell Automation ISaGRAF](https://www.cisa.gov/news-events/ics-advisories/icsa-22-095-01) - [CVE-2022-1118](https://www.cve.org/CVERecord?id=CVE-2022-1118) \n \"Connected Components Workbench, ISaGRAF Workbench, and Safety Instrumented System Workstation do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.\"\n\n- [Medtronic Paceart Optima System](https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-180-01) - [CVE-2023-31222](https://www.cve.org/CVERecord?id=CVE-2023-31222) \n \"Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic's Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization's Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.\"\n\n- [CVE-2021-4104](https://www.cve.org/CVERecord?id=CVE-2021-4104) \n \"JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-502: Deserialization of Untrusted Data (Base)](https://cwe.mitre.org/data/definitions/502.html) \n \"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [Now You Serial, Now You Don\u2019t \u2014 Systematically Hunting for Deserialization Exploits](https://www.mandiant.com/resources/blog/hunting-deserialization-exploits) \n Mandiant has reported that between the years 2019-2021 APT41 used .NET ViewState and Java deserialization vulnerabilities in their campaigns.\n\n- \\[KEV\\] [Kentico Xperience Deserialization of Untrusted Data Vulnerability](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltextCVE-2019-10068&field_date_added_wrapperall&sort_byfield_date_added&items_per_page20) \u2013 [Kentico CMS 12.0.14 Remote Command Execution](https://packetstorm.news/files/id/157588) \u2013 [CVE-2019-10068](https://www.cve.org/CVERecord?id=CVE-2019-10068) \n \"An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.\"",
"x_mitre_emb3d_threat_id": "TID-326",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--55121d60-3cc2-409b-9168-7e855dbc7404",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.08619Z",
"modified": "2025-04-21T14:20:07.08619Z",
"name": "Out of Bounds Memory Access",
"description": "If an application does not properly restrict data writes to allocated memory locations, a threat actor could send an input or message that writes data outside of intended or allowed memory locations. By overwriting memory locations, an attacker can possibly hijack the control-flow of the program to remotely execute their own code or cause a DoS on the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Siemens ICS Switches Hit With Buffer Overflow, Authentication Bugs](https://threatpost.com/siemens-ics-switches-hit-with-buffer-overflow-authentication-bugs/110852/) \u2013 [CVE-2015-1449 \n ](https://www.cve.org/CVERecord?id=CVE-2015-1449)\"A buffer overflow present on Siemens ICS switches could allow threat actors to gain the ability to take administrative actions on switches.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE 1218: Memory Buffer Errors](https://cwe.mitre.org/data/definitions/1218.html) \n \"This a weakness category related to the handling of memory buffers within a software system. It is possible that any of these weaknesses can lead to the development of a vulnerability to exploit in a given device.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- \\[KEV\\] [Tenda AC11 Wi-Fi Router Buffer Overflow Vulnerability](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31755) \u2013 [CVE-2021-31755 \n ](https://www.cve.org/CVERecord?id=CVE-2021-31755)\"An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.\"\n\n- \\[KEV\\] [Amcrest Camera/NVR Multiple Vulnerabilities](https://www.tenable.com/security/research/tra-2020-20) \u2013 [CVE-2020-5735](https://www.cve.org/CVERecord?id=CVE-2020-5735) \n \"Amcrest cameras and NVR are vulnerable to a stack-based buffer overflow over port 37777. An authenticated remote attacker can abuse this issue to crash the device and possibly execute arbitrary code.\"",
"x_mitre_emb3d_threat_id": "TID-327",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--dda83adc-ea39-4e82-92e8-5022dff4d58a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.086431Z",
"modified": "2025-04-21T14:20:07.086431Z",
"name": "Hardcoded Credentials",
"description": "Hardcoded credentials typically cannot be changed by end-users and are often undocumented, leaving the end-user unaware of the risk. If a threat actor is able to discover the credentials for a device (or family of devices with the same password), they may be able to exploit multiple devices with no known device-level mitigation. Hardcoded credentials are often intended for vendor-specific diagnostic functions or to authenticate components designed to communicate together (e.g., a PLC and associated IED), but can be abused by threat actors when discovered. Often hardcoded credentials are added to support debugging during a device\u2019s development and are mistakenly left in production devices.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- Zyxel USG 4.60 Hardcoded Credential - [CVE-2020-29583](https://www.cve.org/CVERecord?id=CVE-2020-29583) \n \"Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.\"\n\n- Eaton X303 PLC Hardcoded Credential - [CVE-2024-57811](https://www.cve.org/CVERecord?id=CVE-2024-57811) \n In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. The root password is hardcoded in the firmware.\"\n\n- Smart PLC AC4xxS Firmware Hardcoded Credential - [CVE-2024-28747](https://www.cve.org/CVERecord?id=CVE-2024-28747) \n \"An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-798: Use of Hard-coded Credentials](https://cwe.mitre.org/data/definitions/798.html) \n \"The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Hardcoded Credentials (T0891)](https://attack.mitre.org/techniques/T0891/) \u2013 [Procedure Example: Incontroller (S1045)](https://attack.mitre.org/software/S1045/) \n \"INCONTROLLER can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151\"\n\n## Known Exploitable Weakness\n\n- \\[[KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=cve-2020-29583%5d)\\] [Undocumented user account in Zyxel products](https://www.eye.security/blog/undocumented-user-account-in-zyxel-products-cve-2020-29583) \u2013 [CVE-2020-29583](https://www.cve.org/CVERecord?id=CVE-2020-29583) \n \"Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account (\"zyfwp\") with an unchangeable password.\"",
"x_mitre_emb3d_threat_id": "TID-328",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--9367d60b-3ef6-4d2a-8da3-71ffd9ea2418",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.086702Z",
"modified": "2025-04-21T14:20:07.086702Z",
"name": "Improper Password Storage",
"description": "If a device stores passwords in an unsafe manner (e.g., in a cleartext file with no read restrictions) it may be possible for threat actors to retrieve system or user account passwords for that device. Threat actors can then use obtained passwords to increase their privileges and perform actions on the device or move laterally to other systems. Unsafe storage techniques can include storing passwords in cleartext, encrypting instead of hashing passwords, using weak hashing algorithms, or not using salted hashes.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Siemens S7-1200 Insecure Storage of HTTPS CA Certificate](https://www.cisa.gov/news-events/ics-advisories/icsa-12-263-01) - [CVE-2012-3037](https://www.cve.org/CVERecord?id=CVE-2012-3037) \n \"The certificate authority (CA) for HTTPS connections, which is installed on Siemens SIMATIC S7-1200 PLC, stores its private key insecurely. This key is used for signing certificates. Once this key is obtained, an attacker may create a forged certificate. This can then be used to complete a Man-in-the-Middle attack on a browser that already trusts this device\u2019s CA.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-257: Storing Passwords in a Recoverable Format](https://cwe.mitre.org/data/definitions/257.html) \n \"The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- \\[KEV\\] [D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=cve-2011-4723) - [CVE-2011-4723](https://www.cve.org/CVERecord?id=CVE-2011-4723) \n \"The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information.\"",
"x_mitre_emb3d_threat_id": "TID-329",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--1d285166-3508-48ca-a8c6-05f1117faa03",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.08694Z",
"modified": "2025-04-21T14:20:07.08694Z",
"name": "Cryptographic Timing Side-Channel",
"description": "Algorithms or code implementations of cryptographic processes will sometimes leak information by ending operations early or late based on, and correlated with, the input/key.\n\nIf a threat actor is able to execute code on a processor performing a cryptographic operation, they may be able to infer the resulting key from that operation by measuring the timing it takes to perform the various functions.\n\nFor example, if a function like memcpy (which performs byte-by byte comparison) is used to check an HMAC value, by measuring the time it takes for the function to execute, the length of time needed to brute force guess a key can be significantly reduced.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [OpenSSL Timing Side-Channel Vulnerability in ECDSA Signature Computation](https://nvd.nist.gov/vuln/detail/CVE-2024-13176%20https:/access.redhat.com/security/cve/cve-2024-13176) - [CVE-2024-13176](https://www.cve.org/CVERecord?id=cve-2024-13176) \"A timing side-channel vulnerability was found in OpenSSL. This vulnerability allows an attacker to recover the private key. However, measuring the timing would require local access to the signing application or a fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This issue can happen with significant probability only for some of the supported elliptic curves. In particular, the NIST P-521 curve is affected.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-208: Observable Timing Discrepancy (Base)](https://cwe.mitre.org/data/definitions/208.html) \n \"Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.\"\n\n- [CWE-1254: Incorrect Comparison Logic Granularity (Base)](https://cwe.mitre.org/data/definitions/1254.html) \n \"The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.\"",
"x_mitre_emb3d_threat_category": "application software",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [XBOX 360 HMAC Comparison](https://beta.ivc.no/wiki/index.php/Xbox_360_Timing_Attack) \n \"A memcmp function is used to check the CB-auth HMAC-hash value. The value is 16-bytes long and is done byte-by-byte wise. By changing one byte at a time it's possible to determine if a byte is the valid (true) by measuring the time to compare a false and a true value. Measuring each byte will in the end reveal the correct hash and the boot process can continue. \n The time differences for a valid and false value is about 2200 microseconds. \n Possibilities: 16 bytes \\* 256 different possibility for each byte, total 4096 tries. Statistically only half has to be tried, 2048 tries.\"",
"x_mitre_emb3d_threat_id": "TID-330",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--74b33ffa-a184-4f82-9ba6-1c9e36a48d0a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.087177Z",
"modified": "2025-04-21T14:20:07.087177Z",
"name": "Undocumented Protocol Features",
"description": "Some devices may support proprietary protocols, or may add proprietary functionality to open protocols. Many of the custom functions or commands may not be sufficiently documented.\n\nIf users aren't aware of these functions/commands, they cannot be expected to properly configure the device to remove unwanted functionality. Further, they are limited in their ability to monitor the device for any potential malicious use of these functions/commands to exploit devices.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Sixnet Universal Protocol Undocumented Function Codes](https://www.cisa.gov/news-events/ics-advisories/icsa-13-231-01b) - [CVE-2013-2802](https://www.cve.org/CVERecord?id=CVE-2013-2802) \n Sixnet devices use a universal protocol with 6 undocumented opcodes that can perform remote management functions (e.g., code execution) without authentication\n\n- [Schneider Electric Modicon Controllers and Software](https://www.cisa.gov/news-events/ics-advisories/icsa-21-194-02) - [CVE-2021-22779](https://www.cve.org/CVERecord?id=CVE-2021-22779) \n \"An authentication bypass by spoofing vulnerability exists that could cause unauthorized access in read and write mode to the controller by spoofing the Modbus communication between the engineering software and the controller.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1371: ICS Supply Chain: Poorly Documented or Undocumented Features](https://cwe.mitre.org/data/definitions/1371.html) \n \"Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities.\"\n\n- [CWE-912: Hidden Functionality (Class)](https://cwe.mitre.org/data/definitions/912.html) \n \"The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.\"\n\n- [CWE-1059: Insufficient Technical Documentation](https://cwe.mitre.org/data/definitions/1059.html) \n \"The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [The Vulnerability Can Lead to Native Remote-Code-Execution on Vulnerable PLCs](https://www.armis.com/research/modipwn/) \n \"Armis researchers discovered a new vulnerability (CVE-2021-22779) in Schneider Electric (SE) Modicon PLCs that bypasses security mechanisms added to these PLCs to prevent abuse of undocumented Modbus commands. These undocumented commands can allow full control over the PLC \u2014 overwriting critical memory regions, leaking sensitive memory content, or invoking internal functions.\"",
"x_mitre_emb3d_threat_id": "TID-401",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--f099f3a2-1727-4d77-8af8-59143592e245",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.087409Z",
"modified": "2025-04-21T14:20:07.087409Z",
"name": "Remotely Triggerable Deadlock/DoS",
"description": "Some devices will have operating modes that put the device in an inoperable state. Devices may also have network parsing or protocol vulnerabilities that can put the device in a deadlocked or otherwise unresponsive state. A threat actor may therefore be able to send a message to a device that causes it to enter one of these deadlocked or unresponsive states, rendering the device non-functional or leaving it in an otherwise degraded state. Additionally, if the device does not have a mechanism to reset or recover from this state, it may remain unavailable until it is reset or rebooted, which may require physical operator presence.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2015-5374](https://www.cve.org/CVERecord?id=CVE-2015-5374) \n \"Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-833: Deadlock](https://cwe.mitre.org/data/definitions/833.html) \n \"The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Observed Adversary Technique\n\n- [ATT&CK Technique: Denial of Service (T0814)](https://attack.mitre.org/techniques/T0814/) \u2013 [Procedure Example: Industroyer (S0604)](https://attack.mitre.org/software/S0604/) \n \"The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually. Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E.\"\n\n- [ATT&CK Technique: Denial of Service (T0814)](https://attack.mitre.org/techniques/T0814/) \u2013 [Procedure Example: Backdoor.Oldrea (S0093)](https://attack.mitre.org/software/S0093/) \n \"The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.\"",
"x_mitre_emb3d_threat_id": "TID-404",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--f7fb3293-88cf-4896-bbff-bc1e04a17a48",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.087641Z",
"modified": "2025-04-21T14:20:07.087641Z",
"name": "Network Stack Resource Exhaustion",
"description": "Remote connections and communications can consume various device resources (e.g., network stack buffers, packet processing, socket connections) that, if exhausted, could lead to the device entering an unresponsive state. A threat actor may attempt to intentionally cause this by sending either repetitive or specially crafted messages to a device to consume resources and cause the device to become unresponsive. The unresponsive state will typically continue for at least the duration of the attack. In some cases, it may persist until the device is reset or rebooted, which may require physical operator presence.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [CVE-2020-3566](https://www.cve.org/CVERecord/SearchResults?query=CVE-2020-3566) \n \"Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to immediately crash the IGMP process or make it consume available memory and eventually crash.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html) \n \"The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.\"\n\n- [CWE-410: Insufficient Resource Pool](https://cwe.mitre.org/data/definitions/410.html) \n \"The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Observed Adversary Technique\n\n- [ATT&CK Technique: Service Stop (T0881)](https://attack.mitre.org/techniques/T0881/) \u2013 [Procedure Example: Industroyer2 (S1072)](https://attack.mitre.org/software/S1072/) \n \"Killing the 'PService_PDD.exe' service causes the interruption of any existing communication with target IEC-104 servers, which usually supports at most one active connection at a time. Having interrupted existing connections, Industroyer2 is free to connect to the targets.\" This action will prevent other devices from connecting to the IEC-104 servers for as long as the Industroyer2 connection is active.\n\n- \\[KEV\\] [Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz) \u2013 [CVE-2020-3566](https://www.cve.org/CVERecord/SearchResults?query=CVE-2020-3566) \n \"Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to immediately crash the IGMP process or make it consume available memory and eventually crash.\"",
"x_mitre_emb3d_threat_id": "TID-405",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--20e1c1fe-e1de-4a80-a22e-3184f9484736",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.087868Z",
"modified": "2025-04-21T14:20:07.087868Z",
"name": "Unauthorized Messages or Connections",
"description": "Some devices operate using protocols that have no capacity for network-level authentication, connection, or creation of sessions on-device, therefore allowing a threat actor to establish malicious connections or send malicious data to the device. Authentication mechanisms include passwords and cryptographic keys/certificates.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report/) ([CVE-2022-30266](https://www.cve.org/CVERecord?id=CVE-2022-30266), [CVE-2022-33139](https://www.cve.org/CVERecord?id=CVE-2022-33139), [CVE-2019-18250](https://www.cve.org/CVERecord?id=CVE-2019-18250)) \n Many devices in the OT-ICEFALL report had authentication on the client-side, but not for the protocol. What this means is that while users may think actions are authenticated, actors who are able to send/receive traffic over the network may be able to issue commands without proper authentication.\n\n- [CVE-2019-6533](https://www.cve.org/CVERecord?id=CVE-2019-6533) \n \"Registers used to store Modbus values can be read and written from the web interface without authentication in the PR100088 Modbus gateway versions prior to Release R02 (or Software Version 1.1.13166).\"\n\n## Metadata",
"x_mitre_emb3d_threat_CWEs": "- [CWE-306: Missing Authentication for Critical Function (Base)](https://cwe.mitre.org/data/definitions/306.html) \n \"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.\"\n\n- [CWE-287: Improper Authentication (Class)](https://cwe.mitre.org/data/definitions/287.html) \n \"When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK T0860 Wireless Compromise](https://attack.mitre.org/techniques/T0860/) \n \"During the Polish Train incident, a teenager was able to program a remote with commands to operate and change junctions on the tracks. The teenager was able to then send those commands, without authentication, to operate the junctions.\"\n\n- [ATT&CK Technique: Unauthorized Command Message (T0855)](https://attack.mitre.org/techniques/T0855/) \u2013 [Procedure Example: INCONTROLLER (S1045)](https://attack.mitre.org/software/S1045/) \n \"INCONTROLLER can send custom Modbus commands to write register values on Schneider PLCs.\"",
"x_mitre_emb3d_threat_id": "TID-406",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--027d72fa-4254-45ac-b2b0-c90578336f92",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.0881Z",
"modified": "2025-04-21T14:20:07.0881Z",
"name": "Missing Message Replay Protection",
"description": "Threat actors may be able to replay a message to a device to cause an unwanted function, send an unwanted command, or gain access to privileged data. Message replaying can be used to bypass nonexistent or poorly designed authentication mechanisms lacking proper protections, such as a nonce or timestamp.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Schneider Electric Modicon Modbus Protocol](https://www.cisa.gov/news-events/ics-advisories/icsa-17-101-01) - [CVE-2017-6034](https://www.cve.org/CVERecord?id=CVE-2017-6034) \n \"Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and download.\"\n\n- [Sierra Wireless AirLink Raven X EV-DO Vulnerabilities](https://www.cisa.gov/news-events/ics-advisories/icsa-14-007-01b) - [CVE-2013-2820](https://www.cve.org/CVERecord?id=CVE-2013-2820) \n \"The AirLink Raven X EV-DO is vulnerable to replay attacks that bypass authentication. By sending a series of crafted packets to Port 17336/UDP and Port 17388/UDP, an attacker could reprogram the device\u2019s firmware image. This could allow the attacker to affect the availability of the firmware.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-294: Authentication Bypass by Capture-replay (Base)](https://cwe.mitre.org/data/definitions/294.html) \n \"A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK T0887 Wireless Sniffing](https://attack.mitre.org/techniques/T0887/) \n \"In the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.\" \n \n \"In [Dallas](https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/)' case, there are a number of ways that the attack could have been carried out, but the most likely is that someone carried out a \"radio replay\" attack, which involves recording the radio signal that was broadcast during the latest monthly test of the emergency siren system and playing it back repeatedly on Friday, according to Bastille, a security firm specializing in finding and remediating radio frequency vulnerabilities.\"",
"x_mitre_emb3d_threat_id": "TID-407",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--0a7390e5-fb6a-4f05-84dd-1cce5466d1de",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.088328Z",
"modified": "2025-04-21T14:20:07.088328Z",
"name": "Unencrypted Sensitive Data Communication",
"description": "Some devices do not adequately encrypt communications that includes operational or management information. Without adequate encryption, a threat actor can eavesdrop on the communications to gain access to device operational information, management information, or authentication information such as credentials or keys. Examples of popular protocols that lack encryption include FTP, Telnet, HTTP, Modbus, and DNP3.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [Sierra Wireless AirLink Raven X EV-DO Vulnerabilities](https://www.cisa.gov/news-events/ics-advisories/icsa-14-007-01b) \u2013 [CVE-2013-2819](https://www.cve.org/CVERecord?id=CVE-2013-2819) \n \"The AirLink Raven X EV-DO does not use encryption in the update and reprogramming process. By using the passwords and user names that are stored in plain text, an attacker could reprogram the firmware.\"\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-29954](https://www.cve.org/CVERecord?id=CVE-2022-29954) \n \"The BSAP/IP protocol transmits passwords in plaintext\"\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-30261](https://www.cve.org/CVERecord?id=CVE-2022-30261) \n \"The ROC protocol transmits passwords in plaintext.\"\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-30266](https://www.cve.org/CVERecord?id=CVE-2022-30266) \n \"The SRTP protocol transmits passwords in plaintext\"\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-30312](https://www.cve.org/CVERecord?id=CVE-2022-30312) \n \"The Inter-controller (IC) protocol transmits PINs, usernames and passwords in plaintext\"\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-31204](https://www.cve.org/CVERecord?id=CVE-2022-31204) \n \"The password used to restrict engineering operations is transmitted in plaintext\"\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-29519](https://www.cve.org/CVERecord?id=CVE-2022-29519) \n The ResConf protocol transmits usernames, passwords and session tokens in plaintext.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-319: Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html) \n \"The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique \n\n- [ATT&CK T0842 Network Sniffing](https://attack.mitre.org/techniques/T0842/) \n \u201cNetwork sniffing is the practice of using a network interface on a computer system to monitor or capture information regardless of whether it is the specified destination for the information.\u201d\n\n- [ATT&CK T0887 Wireless Sniffing](https://attack.mitre.org/techniques/T0887/) \n \u201cAdversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments.\"",
"x_mitre_emb3d_threat_id": "TID-408",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--a71049a8-bfe9-47cf-a645-2b3d04cd3bdb",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.088554Z",
"modified": "2025-04-21T14:20:07.088554Z",
"name": "Cryptographic Protocol Side Channel",
"description": "While encrypting data can prevent a threat actor from directly obtaining the plaintext communication, a threat actor may be able to infer information about the device or communicated data through side-channel and metadata analysis of encrypted communication sessions. For example, a threat actor could use information about message lengths, sequences, and frequency to infer some or all of the plaintext content of messages.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-1230: Exposure of Sensitive Information Through Metadata](https://cwe.mitre.org/data/definitions/1230.html) \n \"The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Proof of Concept\n\n- [Classifying IoT devices in smart environments using network traffic characteristics](https://forms1.ieee.org/rs/682-UPB-550/images/Classifying%20IoT%20Devices%20in%20Smart%20Environments%20Using%20Network%20Traffic%20Characteristics.pdf) \n \"This paper shows that IoT devices can be identified with high accuracy based on their network behavior, and sets the stage for future work in detecting misbehaviors resulting from security breaches in teh \\[sic\\] smart environment.\"\n\n- [Traffic Fingerprinting Attacks on Internet of Things using Machine Learning](https://www.researchgate.net/publication/338788145_Traffic_Fingerprinting_Attacks_on_Internet_of_Things_Using_Machine_Learning) \n \"However, even if encryption was in place, characteristics of the traf\ufb01c, such as packet sizes and traf\ufb01c rates, may expose the user\u2019s current activities\"\n\n- [Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information](https://syed-rafiul-hussain.github.io/wp-content/uploads/2019/02/paging-side-channel-ndss19.pdf) \n \"Our paper sheds light on an inherent design weakness of the 4G/5G cellular paging protocol which can be exploited by an attacker to not only obtain the victim\u2019s paging occasion but also to identify the victim\u2019s presence in a particular cell area just from the victim\u2019s soft-identity (e.g., phone number, Twitter handle) with a novel attack called ToRPEDO.\"",
"x_mitre_emb3d_threat_id": "TID-410",
"x_mitre_emb3d_threat_maturity": "proof of concept"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--7da95ae6-55cf-4cdc-ae5a-da0f86688cfb",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.088779Z",
"modified": "2025-04-21T14:20:07.088779Z",
"name": "Weak/Insecure Cryptographic Protocol",
"description": "The device utilizes a weak or insecure cryptographic protocol or algorithm that can be broken or undermined. This could allow the threat actor to extract plaintext information from encrypted communications, extract cryptographic keys, or bypass authentication mechanisms.\n\nA threat actor can utilize various techniques to manipulate these protocols, including brute-force guessing of keys or using cryptanalysis to decipher the text.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-30273](https://www.cve.org/CVERecord?id=CVE-2022-30273) \n \"The MDLC protocol offers a legacy encryption mode that encrypts traffic using the Tiny Encryption Algorithm (TEA) block-cipher in ECB mode, which offers no message integrity and reduced confidentiality.\"\n\n\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-29955](https://www.cve.org/CVERecord?id=CVE-2022-29955) \n \"The BSAP/IP protocol uses weak encryption to transmit passwords.\"\n\n\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - [CVE-2022-29960](https://www.cve.org/CVERecord?id=CVE-2022-29960) \n \"DES with hardcoded cryptographic keys is used to protect system credentials, engineering files, and sensitive utilities.\"",
"x_mitre_emb3d_threat_CWEs": "- [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html)\n\n\"The product uses a broken or risky cryptographic algorithm or protocol.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Known Exploitable Weakness\n\n- [Wi-Fi hack caused TK Maxx security breach](https://www.zdnet.com/article/wi-fi-hack-caused-tk-maxx-security-breach/) \n \"TK Maxx's parent company, TJX, had secured its wireless network using Wired Equivalent Privacy (WEP) \u2014 one of the weakest forms of security for wireless LANs... hackers cracked the WEP encryption protocol used to transmit data between price-checking devices, cash registers and computers at a store in Minnesota.\"\n\n### Proof of Concept\n\n- [Empirical Study of PLC Authentication Protocols in Industrial Control Systems](https://doi.org/10.1109/SPW53761.2021.00058) \n Researchers Adeen Ayub, Hyunguk Yoo, and Irfan Ahmed discovered eight protocol level authentication vulnerabilities between 5 PLCs. One of the classes of vulnerabilities they discovered was weak encryption schemes.\n\n- [OT-ICEFALL](https://www.forescout.com/resources/ot-icefall-report) - Weak Cryptography on CODESYS V3 \n \"The encryption scheme uses an insecure mode of operation. The code is encrypted in ECB mode without additional cryptographic authentication and integrity over the ciphertext as a whole.\"",
"x_mitre_emb3d_threat_id": "TID-411",
"x_mitre_emb3d_threat_maturity": "known exploitable weakness"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--d15cb2c2-6c8d-4864-8813-21ccab54ede2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.089Z",
"modified": "2025-04-21T14:20:07.089Z",
"name": "Network Routing Capability Abuse",
"description": "Some devices will allow for the forwarding of packets to other connected devices (e.g., routing, port forwarding, tunneling, VPN). If the device is used to forward or route communications, a threat actor could change the forwarding rules or routes. This feature could be used by the threat actor to either (i) disable required forwarding rules to prevent authorized communications or (ii) add new rules that allow unauthorized access to other devices. The threat actor could potentially use this to gain access to devices that are within protected networks or zones.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_threat_CVEs": "- None referenced",
"x_mitre_emb3d_threat_CWEs": "- [CWE-306: Missing Authentication for Critical Function (Base)](https://cwe.mitre.org/data/definitions/306.html) \n \"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.\"\n\n- [CWE-15: External Control of System or Configuration Setting](https://cwe.mitre.org/data/definitions/15.html) \n \"One or more system settings or configuration elements can be externally controlled by a user.\"",
"x_mitre_emb3d_threat_category": "networking",
"x_mitre_emb3d_threat_evidence": "### Observed Adversarial Technique\n\n- [ATT&CK Technique: Connection Proxy (T0884)](https://attack.mitre.org/techniques/T0884/) \u2013 [Procedure Example: Incontroller (S1045)](https://attack.mitre.org/software/S1045/) \n \"The INCONTROLLER PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.\"",
"x_mitre_emb3d_threat_id": "TID-412",
"x_mitre_emb3d_threat_maturity": "observed adversarial technique"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--eeeb5034-b1a9-4abe-a58d-20415b75591f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.049892Z",
"modified": "2025-04-21T14:20:07.049892Z",
"name": "Software Only Bootloader Authentication",
"description": "Under a software bootloader authentication scheme, the bootloader is authenticated using a software-based mechanism where the key, authenticated integrity measurement, and verification logic are stored within memory and the authentication is performed on a main/multipurpose processor. This performs boot-time integrity verification of the bootloader to ensure it was not previously modified or tampered with. Before a bootloader is executed, it should be authenticated by taking an integrity measurement (e.g., hash) of the bootloader, and verifying the hash against a stored signed integrity measurement stored in a bootrom.\u00a0A device may have multiple bootloaders which operate in multiple stages; therefore, this mitigation may need to be implemented and executed multiple times across the stages to ensure the integrity of each stage.\n\nLastly, authenticating the first and all subsequent bootloaders allows the device to build a chain-of-trust, through which a secure boot scheme can be made for the device. Secure boot schemes allow the device to use earlier-staged authenticated bootloaders to authenticate and launch subsequent bootloaders and software.\n\nBecause this mitigation stores the keys and authentication logic/mechanisms in memory and executes checks on the main CPU, this mitigation is vulnerable to key extractions (*TID-214: Secrets Extracted from Device Root of Trust*) and tampering with the authentication process (*TID-214: Inadequate Bootloader Protection and Verification*). To minimize this threat, the first stage of the bootloader that performs this check should be stored within ROM to prevent modification by possible malicious code injected at runtime.\n\nNote: This mitigation is in contrast to a hardware-based bootloader authentication scheme (*MID-002 - Hardware-backed Bootloader Authentication*), where dedicated hardware is used to protect the key and authentication process.\n\nLimitation: A software-based bootloader authentication scheme can be bypassed if a threat actor is able to physically extract symmetric keys from storage, memory, or through side-channel analysis of the processor while the key is in-use. Additionally, if the device is using asymmetric encryption, these protections can be undermined by changing the hash of the public key or the public key itself stored on the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.14 \u2013 Integrity of the boot process",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-001",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Ubuntu. \"Signing.\" ubuntu.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] U-Boot. \"U-Boot Verified Boot.\" u-boot.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] T. Lewis and M. Khandelwal. \"Best Practices for UEFI Secure Boot Guidelines.\" uefi.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] National Security Agency. \"Boot Security Modes and Recommendations.\" nsa.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] Android. \"Implementing dm-verity.\" android.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[6\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8587ab09-1a39-4f81-b96f-820dff3ae1e4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.0506Z",
"modified": "2025-04-21T14:20:07.0506Z",
"name": "Hardware-backed Bootloader Authentication",
"description": "A secure boot scheme where a hardware root of trust verifies the integrity of the bootloader will give a device strong security against bootloader tampering prior to boot time. A hardware root of trust gives a device the ability to securely store signatures and keys somewhere that they cannot be accessed before or after booting. This root of trust can then be used to perform boot-time integrity verification of the bootloader to ensure it was not previously modified or tampered with. Before a bootloader is executed, it should be authenticated by taking an integrity measurement (e.g., hash) of the bootloader, and verifying the integrity measurement against a signed integrity measurement stored in the hardware element. A device may have multiple bootloaders which operate in multiple stages, this mitigation may need to be implemented and executed across multiple times to ensure integrity of each stage.\n\nAdditionally, this hardware root of trust can be used to anchor a chain-of-trust flowing from the bootloader that can be used to verify the integrity of other modules on the device.\n\nThis implementation will vary based on different secure boot schemes and frameworks, along with device architectures and operating systems.\n\nNote: This Mi0tigation requires that the device has a secure hardware root of trust. Please see *PID-25 - Device includes software/hardware root of trust* for information about related threats and mitigations.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR/ NDR 3.14 \u2013 Integrity of the boot process",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-002",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Microsoft. \"Secure boot.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] T. Lewis and M. Khandelwal. \"Best Practices for UEFI Secure Boot Guidelines.\" uefi.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] ARM. \"Trusted Board Boot Requirements Client (TBBR-CLIENT) Armv8-A.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] National Security Agency. \"Boot Security Modes and Recommendations.\" nsa.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] Intel. \"Intel Hardware Shield - Below-the-OS Security.\" intel.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[6\\] ARM. \"Secure boot.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[7\\] Chromium. \"Security in ChromeOS.\" chromium.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[8\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--ccb74d86-53ad-4e13-a10b-1434b74d3d73",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.050848Z",
"modified": "2025-04-21T14:20:07.050848Z",
"name": "Periodic/Continuous Integrity Measurement and Remote Attestation",
"description": "Building on the simpler *MID-009 - Operating System-based Runtime Integrity Check*, devices can go further and periodically take integrity measurements and send them out in remote attestation messages. These measurements can be implemented separately across multiple parts of the device stack, such as the bootloader, firmware, software, and application process level, and can include readings on bootloader integrity, device timing statistics, process and page-table integrity, and overall memory integrity. With a combination of all of this information, users can gain a reasonable sense of if the device\u2019s normal operations have been manipulated.\n\nNote: Periodic integrity measurements are the most valuable and trustworthy when a device has a secure operating environment in which to perform its measurement calculations and network encryption. The presence of these properties may however expose a device to threats related to *PID-41 - Device exposes remote network services*, *PID-4113 - Device includes cryptographic functions for sensitive data, such as encryption or authentication*, *PID-251 - Root of Trust is physically accessible or is not immutable*, or *PID-252 - Root of Trust is immutable*",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-003",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Microsoft. \"Microsoft Azure Attestation.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] Microsoft. \"Attestation.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] Z. Ling, H. Yan, X. Shao, J. Luo., Y. Xu, B. Pearson, and X. Fu. \"Secure boot, trusted boot, and remote attestation for ARM TrustZone-based IoT Nodes\" in Journal of Systems Architecture, Jul. 2021. Vol. 119. \\[Online.\\] Available: \n\n\\[4\\] Red Balloon Security. \"Symbiote Injection Process.\" redballoon.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--ba6a22e5-ad39-465a-8de5-e407f504c64d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.05107Z",
"modified": "2025-04-21T14:20:07.05107Z",
"name": "Memory Hardening Against Code Injection",
"description": "Mechanisms to protect memory against code injection include restricting what parts of memory can execute code and randomizing address space to prevent the development of effective exploits.\n\nExecutable Space Protection and Write xor Execute (W^X) should be used to restrict what code can be executed in memory. Executable Space Protection uses either hardware or software features to mark memory as non-executable, thereby preventing injected code from being executed. W^X restricts a memory page from being both writable and executable, therefore, any memory that can be overwritten by a threat actor (W), cannot be executable (X).\n\nAddress space layout randomization (ASLR) is designed to reduce the predictability of memory addresses so that a threat actor cannot consistently find areas of memory that are able to be exploited or manipulated. This can be done across the application and kernel (KASLR) data spaces.\n\nLastly, program stack specific mitigations, such as stack canaries \\[5\\], safe/unsafe stack schemes \\[4\\], etc. can be used to detect or increase the difficulty of stack overwrite attacks.\n\nDevices should use a combination of the above classes of code and memory injection protections to give their device a more secure posture.\n\nLimitations: Some mechanisms that specifically address code injection can be bypassed by attacks that reuse existing code, such as return-to-libc and return-oriented programming (ROP). Further, ASLR can be undermined by secondary vulnerabilities that disclose memory space addresses.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-004",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Microsoft. \" Data Execution Prevention.\" microsoft.com. Accessed: Apr. 15, 2025. \\[Online.\\] Available: \n\n\\[2\\] The kernel development community. \"Kernel Self-Protection.\" kernel.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] J. Thompson. \"Six Facts about Address Space Layout Randomization on Windows.\" google.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] The Clang Team. \"SafeStack.\" llvm.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] E. Styger. \"Stack Canaries with GCC: Checking for Stack Overflow at Runtime.\" mcuoneclipse.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--9523218d-4c1f-46e9-8f85-ed105bf1a3a8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.051289Z",
"modified": "2025-04-21T14:20:07.051289Z",
"name": "Memory Safe Programming Languages",
"description": "Memory safe programming languages will give the device security guarantees around the bounds of memory that are safe to read, write, or execute. This can greatly reduce attacks targeting memory bounding errors. Memory safety integration in a device can take multiple forms. Individual drivers, libraries, critical kernel functions, or applications should be implemented in memory safe programming languages. In other instances, it may be possible to use entire kernels or OSes written in memory safe programming languages.\n\nConsideration: Memory safe programming languages implement memory safety using different mechanisms. Based on a device\u2019s resources and properties, using one language over another may be desirable. For example, certain memory safe programming languages use more resources due to their runtime memory protections. These can include garbage collection, virtual runtime environments, and code interpreters. Languages that fall into this category are Java, Python, and Go. Other languages, such as Rust, use compile-time checks to handle address spacing mappings and frees.\n\nLimitation: Use of a memory safe language can help protect against a significant number of common vulnerabilities; however, it does not address every type of software weakness. For example, issues related to input validation, logic flaws, or deserialization can still occur in software written in memory safe languages.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-005",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] National Security Agency. \"Software Memory Safety.\" defense.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--e987e693-7a9b-409b-a965-d70c12fb7303",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.051492Z",
"modified": "2025-04-21T14:20:07.051492Z",
"name": "Driver Memory Isolation",
"description": "Driver memory isolation separates a given driver from other drivers and OS/Kernel functionality wherever possible. Examples include microkernel architectures and schemes that split some or all of a driver to run in user space vs within a monolithic kernel.\n\nDeploying drivers in a memory isolated context is an effective way of reducing the attack surface of an OS/Kernel because drivers are frequently handling I/O operations and external data, making them readily targetable. When drivers are not memory isolated, a vulnerability in one driver may enable a threat actor to move laterally to other drivers or OS/Kernel components, potentially giving them more access on a device. Memory isolation makes lateral movement more difficult.\n\nLimitations: Memory can likely never be fully separated due to a need for driver information to be handled by the system or applications running on the device. For this reason, the attack surface will never be entirely eliminated, and other protections, such as the usage of memory safe programming languages, could be put in place to further decrease the threat actor\u2019s attack surface.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-006",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Y. Huang, V. Narayanan, D. Detweiler, K. Huang, G. Tan, T. Jaeger, A. Burtsev. (Jul. 2022). KSplit: Automating Device Driver Isolation. Presented at Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation. \\[Online.\\] Available: \n\n\\[2\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--cbadec49-5289-4fa5-96fc-45bb2dbdfc62",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.051696Z",
"modified": "2025-04-21T14:20:07.051696Z",
"name": "Control Flow Manipulation Protections",
"description": "Control Flow Integrity (CFI) mechanisms ensure that the runtime flow of the program does not deviate from the developer\u2019s intended control flow. In the presence of CFI, threat actors have a more difficult time changing the flow of a program or violating program behaviors because the program has checks in place to ensure that the right functions are called at predictable memory locations. This can prevent against attacks that abuse valid memory spaces and existing code, such as Return Oriented Programming (ROP) seen in *TID-206: Memory Management Protections Subverted*, because the program code flow, and therefore sections of code such as return addresses, are guaranteed integrity and therefore cannot be manipulated.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-007",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] M. Benatto. \"Fighting exploits with Control-Flow Integrity (CFI) in Clang.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] Android. \"Control flow integrity.\" android.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] R. Walls, N. Brown, T. Le Baron, C. Chue, H. Okharvi, B. Ward. \"Control-Flow Integrity for Real-Time Embedded Systems.\" mit.edu. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] I. Anati and O. Simhon. \"Control Flow Enforcement Technology.\" intel.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] National Security Agency. \"Software Memory Safety.\" defense.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[6\\] Apple. \"Improving control flow integrity with pointer authentication.\" apple.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[7\\] Microsoft. \"Control Flow Guard for platform security.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[8\\] ARM. \"Overview of Control Flow Integrity.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--06e509b2-e700-4a87-a50d-44e3e276bbe4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.051908Z",
"modified": "2025-04-21T14:20:07.051908Z",
"name": "Decidable Protocols and Parsers",
"description": "One way to understand a protocol's complexity is through a computational theoretic perspective (e.g., LangSec). For example, the Chomsky hierarchical rank of the grammar used to create a protocol directly dictates the minimum computational model necessary to recognize and parse the protocol. Therefore, 1) structured data and protocols should be designed using the lowest level grammar possible so that 2) parsers can be made using minimally and appropriately matched computational models (e.g., a deterministic push-down automata being used to parse context free input languages instead of a Turing machine).\n\n**1. Regarding implementing your own protocol**\n\nThe design of any new protocol should include an understanding of the grammar used to create that protocol and the computational model necessary to parse that protocol to ensure that the language can be correctly represented by a decidable computational model, particularly with regard to the equivalence problem. This would mean building a protocol out of a regular or deterministic context-free grammar.\n\nUnless a protocol or input language can be built from a regular or deterministic context-free grammar, any corresponding parsers cannot be built to be recognizers and parsers of that protocol without being made undecidable with regard to the equivalence problem *and* maintain full protocol functionality. This is important because if a parser built to run over an undecidable grammar with regard to the equivalence problem, it will be impossible to guarantee that the parser does not enter an unwanted or vulnerable state. This makes the parser have a higher chance of exhibiting exploitable behaviors.\n\n**2. Regarding implementing your own parser**\n\nThe design of any new protocol parser should be made such that the computational model of that parser conforms to the minimally sufficient computational model necessary to parse that protocol. If a protocol parser is made to be more complex than the grammar used to make the protocol would otherwise require, threat actors may be able to discover unwanted or vulnerable states that could lead to exploitation. Minimally necessary computational models, ideally ones that are decidable with regard to the equivalence problem, allow for machine states to be checked and give threat actors less opportunities to exploit parser behavior.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- none",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-008",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] L. Sassaman, M. L. Patterson, S. Bratus, A. Shubina, \u201cThe Halting Problems of Network Stack Insecurity,\u201d USENIX ;login:, vol. 36, no. 6, pp. 22-32, Dec. 2011. \\[Online\\]. Available: \n\n\\[2\\] \u201cLangSec: Recognition, Validation, and Compositional Correctness for Real World Security.\u201d Accessed: Aug. 27, 2024. \\[Online\\]. Available: \n\n\\[3\\] Sergey Bratus, Adam J. Crain, Sven M. Hallberg, Daniel P. Hirsch, Meredith L. Patterson, Maxwell Koo, and Sean W. Smith. 2016. Implementing a vertically hardened DNP3 control stack for power applications. In Proceedings of the 2nd Annual Industrial Control System Security Workshop (ICSS '16). Association for Computing Machinery, New York, NY, USA, 45\u201353."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f6a83c80-4b62-49b5-8f90-1f063ae59b7d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.052113Z",
"modified": "2025-04-21T14:20:07.052113Z",
"name": "Runtime System Integrity Checking",
"description": "Runtime integrity checks can be performed by the operating system kernel or privileged third-party security tools to verify the integrity of files, data, and executables read from storage before use or execution. Checks may be performed at different levels of granularity depending on the implementation, for example at the file level \\[1\\], or as filesystem blocks are read from a storage device \\[2\\]. For example, signatures and hashes of the data may be stored as metadata and used by the mechanism to check the integrity of data as it is accessed by the kernel and prepared for reading of execution. If the integrity check fails, an error condition will be raised which may range from triggering an audit event, producing a read error for the data, or even halting the system.\n\nLimitations: This is an OS-enforced control; therefore, an attacker may bypass it by exploiting a privilege escalation vulnerability to obtain access to the kernel at runtime or by undermining the integrity of the OS kernel early in the boot process.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-009",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] H. Sidhpurwala. \"How to use the Linux kernel's Integrity Measurement Architecture.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] Android. \"Implement dm-verity.\" android.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] V. Pamnani. \"System Guard: How a hardware-based root of trust helps protect Windows.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--27f19a6f-785c-4246-9753-51ba1eab6d99",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.052306Z",
"modified": "2025-04-21T14:20:07.052306Z",
"name": "No Runtime OS Driver Loading",
"description": "The ability to load kernel modules and drivers during runtime is a vector for threat actors to exploit, either by loading an adversary-controlled module that is directly malicious or a vulnerable, but otherwise legitimate, module containing a privilege escalation vulnerability that can be later exploited. Therefore, if there is no need to support runtime loading and executing of drivers, removing that ability can eliminate this threat vector.\n\nWhen there is a need for loadable drivers and kernel modules, *MID-011 - OS Driver/Peripheral Authentication* discusses how to do so safely.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.7 \u2013 Least functionality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-010",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--b5828b26-1fb3-46e1-a792-e50c949dad77",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.052506Z",
"modified": "2025-04-21T14:20:07.052506Z",
"name": "OS Driver/Peripheral Authentication",
"description": "OSes should prevent the execution of malicious drivers by authenticating the drivers before they are loaded and executed on the device. This can be done by only allowing drivers that have been signed and authenticated with a vendor private key to load. These signatures can be checked locally on the device and accepted if and only if the signature passes verification.\n\nAdditionally, a central operating system is sometimes responsible for loading firmware at runtime onto peripheral devices (often by way of an associated driver). The operating system should verify the authenticity of those peripheral firmware packages as part of, or alongside, the checking the driver prior to loading them on the peripheral hardware (e.g., an FPGA, sub-component microcontroller, etc.)\n\nThis authentication scheme should be coupled with *MID-001- Software Only Bootloader Authentication* or *MID-002 - Hardware-backed Bootloader Authentication*, where the device authenticates the bootloader and then leverages that trusted bootloader to verify all the drivers that are going to be run on the device. Therefore, drivers are verified by the bootloader, which is in turn given security guarantees from the root of trust.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-011",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] H. Sidhpurwala. \"How to use the Linux kernel's Integrity Measurement Architecture.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] Gentoo Authors. \"Signed kernel module support.\" gentoo.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] Allen-Bradley. \"ControlLogix EtherNet/IP Module.\" rockwellautomation.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--872ee72c-3b85-4d16-bcb4-a90e1f0da9bd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.052712Z",
"modified": "2025-04-21T14:20:07.052712Z",
"name": "OS-based Access Control Mechanisms",
"description": "The OS should enforce access controls for all users and programs to prevent unauthorized access to OS resources, services, and system calls. There are numerous methods of restricting permissions and privileges to users and programs, including leveraging OS-based access control mechanisms that restrict OS system calls or sandbox-based approaches that encapsulate programs within restrictive environments. These mechanisms should be implemented to enforce access based on the principle of least privilege - which states that programs and users should only have access to the resources that they absolutely need to operate, and nothing else.\n\nOperating systems typically deploy various access control mechanisms that restrict which system calls can be executed and what resources those system calls can access. While many operating systems include a default Discretionary Access Control (DAC) mechanism, these have limitations on their ability to define granular permissions for privileged functions. Strong access control mechanisms include (i) capabilities-based permission models, which provide more granular controls over privileged functions, or (ii) mandatory access control (MAC) mechanisms (e.g., SELinux), which allow fully customizable privileges across all system calls and resources. Further, programs should obtain privileged access only for key functions and then downgrade those privileges after the function is performed (e.g., setuid/setguid). The access control mechanisms deployed by the device must be sufficiently sophisticated to support the variety of programs and applications, their exposure to threats (e.g., networks services), and the criticality of specific data or resources.\n\nOther mechanisms can be used to further restrict what resources an executing process may access. For example, in Linux the seccomp feature can be used to limit which of the OS kernel\u2019s system calls a process may invoke, further constricting the attack surface a compromised process can access to increase its foothold on a device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 2.1 \u2013 Authorization Enforcement",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-012",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] AppArmor. \"Linux kernel security module.\" apparmor.net. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] M. Kerrisk. \"seccomp.\" man7.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] RedHat. \"4.2 SELinux and Mandatory Access Control (MAC).\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] RedHat. \"10.4. Defining Role-Based Access Controls.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] J. Kline. \"The Linux Security Hardening Checklist for Embedded Systems.\" starlab.io. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--99f476af-d683-4276-abc2-1facc268df50",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.052908Z",
"modified": "2025-04-21T14:20:07.052908Z",
"name": "Process and Thread Memory Segmentation",
"description": "Separating the memory between processes and threads, using enforcement mechanisms like memory management units (MMUs) or memory protection units (MPUs), shrinks the attack surface available to threat actors. Memory space separation prevents a threat actor from trivially accessing the memory of other threads or processes to conduct lateral movement, privilege escalation, or process manipulation. This is frequently done through using virtual memory allocation schemes with the MMU.\n\nAdditionally, running all software/applications in separate isolated memory-restricted regions and using the kernel/OS to broker between processes can greatly reduce a device\u2019s threat landscape. This is because restricting software/applications to their own segments and using kernel-brokered inter-process communication (IPC) forces adversaries to kernel to gain unauthorized access to other processes.\n\nLimitations: IPC implementations will vary and will depend on the function of the devices and its hardware architecture. IPC mechanisms and kernel system calls can have their own vulnerabilities that allow privilege escalation or lateral movement.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-013",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] timlt. \"Eclipse ThreadX.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] D. Pandey. \"Inter Process Communication (IPC).\" geeksforgeeks.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] BlackBerry. \"Interprocess Communication (IPC).\" qnx.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.053119Z",
"modified": "2025-04-21T14:20:07.053119Z",
"name": "Sandboxing",
"description": "Sandboxes are software execution environments that run code under restrictions to limit that code\u2019s access to system resources a non-restricted user-level process would otherwise have access to. This is especially useful when handling untrusted code provided by users (e.g., a PLC program) or 3rd parties (e.g., JavaScript from a remote web site), especially when supporting such code is a mandatory device function and cannot simply be forbidden (as in MID-051).\n\nA sandbox runtime provides only filtered and managed access to system resources. For example, an untrusted program will not have direct access to invoke kernel syscalls, read or write to files, access network interfaces, etc. The runtime can then provide only limited access to specific constrained resources governed by security policy, which can significantly reduce the risk of executing untrusted code. These protections will make lateral movement to different processes more difficult for malicious code running within a sandbox, as the code has no access to memory in those processes and has very little, to no, access to privileged function calls. Malicious code will be unable to access and manipulate data, memory, and code outside the sandbox without first finding and exploiting a vulnerability in the sandbox itself. Mobile devices running iOS and Android are a widely used example of this, running all applications in individual sandboxes to protect user data from malicious applications \\[1\\]\\[4\\]. Another example is the WebAssembly (WASM) format, initially developed to allow compiled code to safely execute in a sandbox within a web browser (similar to how JavaScript code is sandboxed) \\[5\\]. WASM use is growing in popularity for other environments, such as embedded systems, that can benefit from its portability and sandboxing properties \\[6\\]. This includes WASM runtimes optimized for embedded systems such as the Bytecode Alliance\u2019s WebAssembly Micro Runtime (WAMR) project \\[7\\].\n\nAdditionally, the abstraction provided by a sandbox can be used to prevent untrusted code from exploiting vulnerabilities that require low-level access to hardware (e.g., TID-103, TID-110). For example, in response to the Spectre and Meltdown vulnerabilities, web browsers deployed changes to their JavaScript engines to reduce the resolution of timers available to JavaScript code, reducing timer accuracy below the threshold necessary to successfully exploit the timing-based side channel \\[2\\]\\[3\\]. A similar change in Chromium-based browsers eliminates a form of RowHammer that researchers crafted using JavaScript and WebGL \\[2\\].",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-014",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Apple. \u201cApple Platform Security.\u201d apple.com. Accessed: Aug. 26, 2024. \\[Online\\]. Available: \n\n\\[2\\] The Chromium Projects. \u201cMitigating Side-Channel Attacks.\u201d Chromium Security. Accessed: Sep. 5, 2024. \\[Online.\\] Available: \n\n\\[3\\] L. Wagner. \u201cMitigations landing for new class of timing attack.\u201d Mozilla Security Blog. Accessed: Sep. 5, 2024. \\[Online.\\] Available: [https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/](https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/)\n\n\\[4\\] Android Open Source Project. \u201cApplication Sandbox.\u201d AOSP Documentation. Accessed: Sep. 10, 2024. \\[Online.\\] Available: \n\n\\[5\\] WebAssembly. \u201cSecurity.\u201d webassembly.org. Accessed: Sep. 10, 2024. \\[Online.\\] Available: \n\n\\[6\\] C. Breck. *WebAssembly at the IoT Edge.* (Mar. 23, 2023). Accessed: Mar. 31, 2025. \\[Online Video\\]. Available: \n\n\\[7\\] \u201cWebAssembly Micro Runtime.\u201d Bytecode Alliance. Accessed: Mar. 31, 2025. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--2a6eea4b-7841-43af-9052-89ab92cfb06f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.05333Z",
"modified": "2025-04-21T14:20:07.05333Z",
"name": "Containerization",
"description": "Some operating systems offer the ability to create containers that wrap small sets of applications in isolated partitions. Each container has its own view of system resources that is isolated from other containers and the host OS. Examples include Linux containers (LXC), Docker, BSD jails, etc. Container partitions are created by the host OS kernel which provides each container with isolated copies of various system resources, such as a unique guest filesystem, partitioned network stack, process ID space, user ID space, etc. Unlike virtualization (see MID-022), container systems do not need to provide virtualized views of hardware running separate full operating systems, instead abstracting at the level of a single kernel instance allows for lower performance overhead. However, OS kernels typically have a larger attack surface than a VM system\u2019s hypervisor, so containers are generally considered to be a weaker form of isolation than virtualization \\[2\\]. Device designers should consider risk vs performance tradeoffs when selecting which isolation technology to implement, although both technologies can used in parallel to achieve the desired balance.\n\nContainers offer several opportunities for security hardening. All the capabilities of MID-012 and MID-013 are available within each container partition. Furthermore, container filesystems can be stripped down to the bare minimum necessary for the applications within the container to function (see *MID-016 \u2013 Least Functionality*). So-called \u201crootless\u201d container design patterns can be employed such that all processes within a container context run with unprivileged non-root user permissions. Host-side orchestration tools like Docker, can enforce additional security restrictions over container contexts when they are created \\[1\\]. For example, seccomp syscall filters can be applied to each container to restrict what kernel interfaces any process within that container may access, which reduces the opportunities for container breakout attacks \\[4\\]. Finally, device developers may consider utilizing non-persistent or immutable (read-only) container image design patterns. These increase the difficulty for attackers to establish a foothold within a container while simplifying the process of restoring containers to a known-good state through restarting containers from an integrity-checked known-good state periodically or in response to indicators of compromise.\n\nNote: Containers can offer additional non-security benefits to device developers. The additional modularization they provide can make application development and maintenance more efficient, including making various devops practices more accessible to embedded device development workflows \\[6\\].",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code\n\n- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-015",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Docker. \"Docker Engine security.\" docker.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] M. Ahuje. \"CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit.\" crowdstrike.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] V. Rothberg. \"Improving Linux container security with seccomp.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] M. Kerrisk. \"seccomp.\" man7.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[6\\] Wind River Systems Inc. \u201cWhat are Embedded Containers?\u201d Accessed: Sep. 5, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--d84af586-2e1e-4040-a977-9202463b10fa",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.053525Z",
"modified": "2025-04-21T14:20:07.053525Z",
"name": "Least Functionality",
"description": "Removing all unnecessary programs or features can greatly limit the amount of tools available on a device for adversaries to potentially use. For example, by removing a compiler, unnecessary code, device drivers, or unnecessary binaries from a device, adversaries won't be able to leverage that functionality into device exploits. If devices starve the threat actors of available tools, it will be more difficult for them to leverage capabilities into malicious activity.\n\nLimitations: Many device functions that could be abused by a threat actor are necessary to support the device\u2019s core operational or management functions and therefore cannot be removed.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.7 \u2013 Least functionality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-016",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] CISA. \"Identifying and Mitigating Living Off the Land Techniques.\" cisa.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] J. Phipps. \"Living Off the Land Attacks: LOTL Definition & Prevention.\" esecurityplanet.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] B. Lenaerts-Bergmans. \"What Are Living Off the Land (LOTL) Attacks?.\" crowdstrike.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--a03c9402-b6a3-4a53-805d-a5000f65f4e7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.053736Z",
"modified": "2025-04-21T14:20:07.053736Z",
"name": "Security-relevant Auditing and Logging",
"description": "Devices should include audit logs of all user access, configuration changes, program updates, service starts and stops, and other events related to security. This allows device operators and security teams to investigate device actions and hunt for unusual behavior that may be indicators of compromise.\n\nProgrammable devices like PLCS should keep logs of all program changes so that device operators have the ability to audit them to check for threat actor attempts to manipulate device operating environments. Particularly useful auditable events include program edits, appends, and online edits.\n\nLimitations: Embedded devices often have constraints that limit the extent of on-device logging, such as a lack of storage space, NVRAM burnout, and network bandwidth limitations. Device designers and operators should take these limitations into account when choosing what data should be logged either locally or remotely.\n\nConsideration: Devices should take *TID-224: Excessive Access via Software Diagnostic Features* into consideration when designing their logging and log access scheme. Logging sensitive information, such as system crash information (core dumps, memory addresses), credentials, or keys, or giving read access to non-privileged users, could expose the device to information leaks.\n\nNote: It is possible to overcome some of the storage limitations by offloading the data over the network. While this presents other issues related to network bandwidth, data reliability, and network-data costs, it helps to overcome some other device-level limitations.\n\nNote: See the threats associated with *PID-324 - Device includes support for \"program uploads\" to retrieve programs from the device from an engineering workstation* for more information about uploading programs for inspection.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 2.8 \u2013 Auditable events\u00a0\n\n- CR 3.7 \u2013 Error handling",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-017",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] CISA. \"Identifying and Mitigating Living Off the Land Techniques.\" cisa.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] P. Czanik. \"Reliable IoT event logging with syslog-ng.\" opensource.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] A. Bharadwaj Madabhushana. \u201cConfigure Linux system auditing with auditd\u201d redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: [https://www.redhat.com/sysadmin/configure-linux-auditing-auditd](https://www.redhat.com/sysadmin/configure-linux-auditing-auditd)"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--64b2d6ce-b91f-4bcf-8efe-e21773a264c9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.053957Z",
"modified": "2025-04-21T14:20:07.053957Z",
"name": "Require Authentication for Privileged Functions",
"description": "Privileged functions that can severely affect the performance or critical functions of a device should only be accessible to authenticated privileged users. This includes functions such as configuration changes, user account changes, role and permission changes, operating state changes, etc. Alerting for failed access attempts is recommended to detect brute-force login attempts. Additionally, the authentication scheme should include controls for limiting session lifetimes, such as requiring reauthentication based on periods of in-activity.\n\nNote: The mitigation *MID-031 - Physical Presence Validation* can be paired with this mitigation for more robust device security.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.1 \u2013 Human user interaction and authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-018",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] CISA. \"Identifying and Mitigating Living Off the Land Techniques.\" cisa.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] Magisk. \"sudo Command in Linux with Examples.\" geeksforgeeks.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8e70538f-1149-41af-b14b-55d135cacb6a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.05415Z",
"modified": "2025-04-21T14:20:07.05415Z",
"name": "ROP Gadget Minimization",
"description": "Applying Return Oriented Programming (ROP) gadget protection techniques to device code involves eliminating sequences of instructions that can be used as ROP gadgets, zeroing out registers, monitoring gadget history, using gadgets to hide other gadgets, modifying gadgets to make them unusable, etc. The goal of these mechanisms is to reduce the number of reusable code fragments that can successfully be used as ROP gadgets, reducing the likelihood that a threat actor can assemble a number and variety of gadgets sufficient to craft a working exploit payload.\n\nGadget minimization is most easily be performed at compile time, when the compiler is in control over the precise strings of machine instructions it produces \\[2\\]\\[3\\]\\[4\\]. Other work seeks to identify and potentially remove or neutralize gadgets found in previously compiled libraries and executables. \\[1\\]",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection for malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-019",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] ivanfrantic. \"ropguard.\" github.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] pagabuc. \"gfree.\" github.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. \"G-Free: defeating return-oriented programming through gadget-less binaries\" in Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10. \\[Online.\\] Available: \n\n\\[4\\] F. Cassano, C. Bershatsky, J. Ginesin, S. Bashenko, \"SafeLLVM: LLVM Without The ROP Gadgets!,\" 2023, arXiv:2305.06092v3"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--364abc12-f815-45b2-800b-c44bf95a99ce",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.054341Z",
"modified": "2025-04-21T14:20:07.054341Z",
"name": "Pointer Authentication",
"description": "Pointer authentication is a hardware security feature added to some recent processor designs (e.g., ARMv8.3) which attach authentication codes to designated pointer values in memory. When the pointer is accessed, for example as a function pointer to jump execution to, its value is checked against the authentication code to ensure it has not been tampered with by a threat actor attempting to perform return-oriented programming or another form of control flow hijack. To implement pointer-level authentication, supported hardware, OS, and compilers are necessary.\n\nPointer authentication features can be utilized in the implementation of a *MID-007 - Control Flow Integrity* scheme, but with the advantage of hardware support that should reduce the performance overhead cost typically associated with software-based CFI implementations.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection for malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-020",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] H. Liljestrand, T. Nyman, K. Wang, C. Perez, J. Ekberg, N. Asokan. \"PAC it up: Towards Pointer Integrity using ARM Pointer Authentication\" presented at 28th USENIX Security Symposium, Aug. 2019. \\[Online.\\] Available: \n\n\\[2\\] M. Rutland. \"ARMv8.3 Pointer Authentication\" presented at Linux Security Summit., Sept. 2017, Available: \n\n\\[3\\] ARM. Pointer Authentication on ARMv8.3. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] A. Mujumdar. \"Armv8.1-M Pointer Authentication and Branch Target Identification Extension.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] ARM. \"Basics of Pointer Authentication.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[6\\] Apple. \u201cOperating system integrity.\u201d apple.com. Accessed: Mar 24, 2025. \\[Online.\\] Available: \n\n\\[7\\] J. Ravichandran, W. T. Na, J. Lang and M. Yan, \"PACMAN: Attacking ARM Pointer Authentication With Speculative Execution,\" in IEEE Micro, vol. 43, no. 4, pp. 11-18, July-Aug. 2023, doi: 10.1109/MM.2023.3273189."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--715dd540-24dd-4893-b313-682dc9c1dc11",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.054531Z",
"modified": "2025-04-21T14:20:07.054531Z",
"name": "VM Hardening",
"description": "Virtual Machines (VMs) provide programs with execution environments that are separated from the rest of the system, providing useful security properties (seen in *MID-022 - Segmentation Through Hardware-assisted VMs*). To help ensure that those guarantees are maintained, the hypervisor\u2019s attack surface accessible from within a VM should be minimized.\n\nVM platforms often offer a variety of virtual hardware devices and APIs to access other hypervisor-provided resources and services to ease tasks like sharing data into and out of a VM. A threat actor that has thoroughly compromised the operating systems resident in a guest VM can access these interfaces and attempt to exploit any vulnerabilities to escalate once again into the hypervisor\u2019s privilege level. Restricting virtual hardware and hypervisor service access to the minimum required by each guest VM reduces the likelihood of a compromise spreading from laterally to other VMs or into the hypervisor.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.7 \u2013 Least functionality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-021",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] vmware. \"VMware Infrastructure 3 Security Hardening.\" vmware.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] M. Jha. \"Hardening Virtual Machine Security.\" vstellar.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] RedHat. \"Chapter 4. sVirt.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--dcf1e046-4998-4760-872b-1ec05f414436",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.05473Z",
"modified": "2025-04-21T14:20:07.05473Z",
"name": "Segmentation Through Hardware-assisted VMs",
"description": "Virtual machines increase the level of isolation for software and data by virtualizing and partitioning device hardware and running their own dedicated operating system kernel (unlike containers that share a kernel). This provides stronger separation than kernel-based containers (MID-015) or process separation (MID-013) but at the cost of higher performance overhead. Software compromises will be contained within a VM even if the threat actor can successfully exploit a privilege escalation vulnerability in the OS kernel within a given VM, protecting any code or data present in other VMs.\n\nHardware-assisted Virtual Machines (VMs) take advantage of CPU extensions that specifically support virtualization use cases to enforce strict separation between VMs\u2019 RAM and other resources. A hypervisor can utilize these CPU features to provide a high degree of assurance in that separation with relatively little performance overhead compared to a fully software-based VM scheme. More advanced hardware features extend the hardware-based separation to I/O device access by extending the functionality of IOMMU features (see MID-053).\n\nNote: Implementing this mitigation will likely expose devices to threats associated with *PID-242 - Device includes hypervisor*.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 2.1 \u2013 Authorization enforcement: RE (1) Authorization enforcement for all users (humans, software processes and devices)",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-022",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OpenSystems Media. \"Embedded virtualization: Latest trends and techniques.\" embeddedcomputing.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] BlackBerry. \"What Is Virtualization for Embedded Systems?.\" qnx.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] E. Kou. \"Virtualization for embedded industrial systems.\" ti.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] openstack. \"Hardening the virtualization layers.\" openstack.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--7670760e-d316-498f-8ef6-788a518b80f3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.054935Z",
"modified": "2025-04-21T14:20:07.054935Z",
"name": "Hypervisor Hardening",
"description": "Highly privileged hypervisor software is required to orchestrate and manage the execution of multiple virtual machines. The hypervisor brokers the access guest VMs have to virtual and physical hardware resources and any support services implemented by the hypervisor itself. Because of its privilege level, the hypervisor must be hardened against comprise, a multi-faceted process that can involve multiple technical controls to increase hypervisor security.\n\nHypervisor-side software components that help implement hypervisor service APIs and the virtual hardware devices exposed to guest VMs should be isolated and sandboxed with minimal privileges to constrain any compromise of those components from spreading to more privileged domains within the hypervisor context. For example, in a hypervisor/host-OS combination based on Linux\u2019s KVM features, the software processes implementing each VM could be run with reduced privileges and under a restrictive SELinux policy \\[4\\].\n\nIn an embedded systems context, the configuration of the hypervisor and guest VMs is likely to be relatively static with no need to dynamically stop, start, or alter the configurations of VMs during runtime. In that case the hypervisor software and its configurations could be stored in immutable memory to the extent possible and only allowed to be changed as a result of the device\u2019s secure update mechanism.\n\nHypervisor software and data should also be integrated into the secure boot process to ensure its integrity before the device starts, as can be seen in *MID-002 - Hardware-backed Bootloader Authentication*. This can be done by placing bootloader-time integrity checks over the hypervisor to ensure that hypervisor code is safe to run according to factory or user-defined signatures.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.7 \u2013 Least functionality\n\n- CR 2.1 \u2013 Authorization enforcement: RE (1) Authorization enforcement for all users (humans, software processes and devices)",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-023",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] E. Kou. \"Virtualization for embedded industrial systems.\" ti.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] BlackBerry. \"What Is Virtualization for Embedded Systems?.\" qnx.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] ARM. \"Secure virtualization.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] RedHat. \"Chapter 4. sVirt.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--29294cab-fcfa-4747-b96e-a54980149610",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.055146Z",
"modified": "2025-04-21T14:20:07.055146Z",
"name": "Encrypted VM Isolation",
"description": "VM\u2019s inherent memory isolation provides many protections for memory that is specifically allocated to that VM, there are still opportunities for attacks launched from the hypervisor or any other system component with access to the physical memory. By virtue of virtual machines (VMs) being run on the same hardware, potential exploits and data leaks are present through hardware or device architecture vulnerabilities.\n\nEncrypting VMs and VM-related information can help maintain VM isolation in the presence of an untrustworthy hypervisor by keeping each VMs data confidential during execution. The added encryption makes it such that the VM\u2019s memory space is protected against unauthorized reads by the hypervisor or any other VM. Only undecipherable could be seen from any context other than the intended guest VM that memory belongs to.\n\nCloud computing uses cases are driving the adoption of these confidential computing features in newer processors. They build upon the RAM encryption functionality (described further in MID-065) that creates encrypted enclaves in memory associated with a particular execution context (thread, process, etc.) such that the contents of that memory are encrypted automatically by the CPU before being written to RAM and automatically decrypted when read in and placed in the CPU\u2019s cache and registers.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.1 \u2013 Information confidentiality\n\n- CR 2.1 \u2013 Authorization enforcement: RE (1) Authorization enforcement for all users (humans, software processes and devices)",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-024",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Intel. \"Trust Domain Security Guidance for Developers.\" intel.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] ARM. \"Learn the architecture - Realm Management Extension.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] M Scapicchio and M. Kozinski. \"What is confidential computing?.\" ibm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] Microsoft. \"Azure confidential computing.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] Intel. \"Intel Confidential Computing Solutions.\" intel.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[6\\] AMD. \"AMD Secure Encrypted Virtualization (SEV).\" amd.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--b15f38b3-5989-436f-8ec2-a7722379f676",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.055344Z",
"modified": "2025-04-21T14:20:07.055344Z",
"name": "End-of-Life Management Features",
"description": "When vendor-provided device maintenance stops, devices that may contain vulnerabilities are left unsupported and unpatched. Any vulnerability found during this time may be present in a device for as long as that device continues to be used. By allowing device users to perform end-of-life management, device users to optionally attempt to maintain a higher security posture on their device through third-party firmware updates or security software. For this to be possible, the device vendor may have to include technical controls, such as \u201cunlocking\u201d parts of the device through a final firmware update or distribution of keys or allowing device users to upload their own keys for use in functions like firmware update mechanisms and secure boot processes. Additionally, the device vendor will likely have to update their device usage terms of service to include statements that once an end-of-life determination is made, certain liability mechanisms and warranties are no longer applicable.\n\nLimitations: Giving device users access to device management tools that are typically reserved for vendors, such as firmware updates, may open up threat vectors for threat actors.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- none",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-025",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] RedHat. \"Chapter 3. Signing a kernel and modules for Secure Boot.\" redhat.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] H. Mbugua, A. Buck, C. Werner, J. Flores, B. Lamos, C. Wales, B. de Koning, F. Ombongi, M. Macy, A. Cornelissen, B. Braig, C. Chiedo. \"Create a self-signed public certificate to authenticate to your application.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] Android. \"Lock and unlock the bootloader.\" android.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] B. Schoon. \"LG is closing the bootloader unlock program that would help keep its Android phones alive.\" 9to5google.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] D. Wallach. \"Assured Micropatching (AMP).\" darpa.mil. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--1d03d6df-472e-4740-afe3-d2d37cd74618",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.05557Z",
"modified": "2025-04-21T14:20:07.05557Z",
"name": "Secure Firmware Update",
"description": "Firmware update mechanisms can provide a vector for threat actors to install malicious code, extract secrets from the firmware, or disrupt the device's availability. A secure firmware update mechanism must ensure the authenticity of the firmware, encrypt the file or communication channel, ensure updates cannot be triggered at inopportune times, and prevent rollback to insecure versions. Key functions of a secure firmware update are provided below.\n\n**1- Authenticity and Integrity**: The device should validate that the firmware update has not been tampered with before installing it on the device. The vendor should digitally sign the firmware using a protected private key, while the device should include an associated public key or public key hash to verify the signature scheme \\[1\\]. The digital signature should be computed across the entire firmware file. To sign a firmware image, the firmware signer should compute a hash of the firmware and run that hash through a signing software. The device can then take a hash of the firmware that it receives and use the public key to verify the signature from the signed hash to compare the two hash values \\[7\\].\n\n**2- Encryption**: Encrypting firmware in-transit and at-rest is an effective way to prevent adversaries from reverse engineering the firmware to extract secrets or discovering vulnerabilities.\n\n*At-rest*: If the firmware deployment requires firmware to be manually downloaded and transferred, stored on intermediary devices before reaching the target device, or stored anywhere on the device before loading into flash memory, then the firmware file should be encrypted. Encryption on-device could be implemented by encrypting all sections of the firmware and having the bootloader decrypt the firmware when it needs to be loaded. The bootloader would check the authenticity and integrity of the encrypted firmware, as mentioned in step 1, and then would decrypt the firmware if all the checks pass. The firmware would then be available for execution \\[8\\]\\[9\\].\n\n*In-transit*: If the firmware is deployed using an over-the-air update scheme (i.e., the firmware file will not reside on any intermediary systems), encryption should be provided by using an encrypted and authenticated communication protocol with public key-based authentication \\[9\\].\n\n**3- Update Initiation**: If a device can have its firmware update process initiated at any time, threat actors may be able to cause a denial-of-service attack against the device by initiating it at an unwanted time. To prevent these scenarios, all manually initiated firmware updates should only be initiated by authenticated and authorized privileged administrative users. In the event that the device is using automatic firmware updates, any requests to initiate the firmware update should go over an encrypted and authenticated protocol.\n\n**4- Rollback Protection**: Optionally, rollback protections can be added to the firmware update process to prevent threat actors from reinstalling an older, vulnerable version of firmware for future exploitation. Adding rollback protections are not always needed and may complicate device processes. See *MID-030 - Firmware Rollback Protections* for more information.\n\n**Additional Threats:** This mitigation depends on multiple cryptographic mechanisms, protocols, and keys, which are all potentially vulnerable to different threats (listed below), which should also be considered with the implemented solution.\n\n- TID-330 Cryptographic Timing Side-Channel\n\n- TID-214 Secrets Extracted from Device Root of Trust\n\n- TID-411 Weak/Insecure Cryptographic Protocol\n\n- TID-318 Insecure Cryptographic Implementation\n\n- TID-317 Predictable Cryptographic Key",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.10 \u2013 Support for updates: RE (1) Update authenticity and integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-026",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] K. Goldman, E. Palmer, T. Block, C. Engel, and D. Heller. \"Best Practices for Firmware Code Signing.\" opencompute.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] A. Regensheid. \"NIST 800-193 - Platform Firmware Resiliency Guidelines.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] K. Masica. \"Firmware Management Best Practices Guide for Energy Infrastructure Embedded Control Devices.\" dtic.mil. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] J. Beningo. \"5 Elements to a Secure Embedded System, Part 5: Secure Storage.\" designnews.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] Embedded Staff. \"Building a security-optimized embedded design using protected key storage.\" embedded.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[6\\] S. Garg. \"Protecting Security Critical Firmware.\" linaro.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[7\\] Chipkin. \"What Is Signed Firmware.\" chipkin.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[8\\] G. Garcia. \"Securing Firmware Updates With AES.\" memfault.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[9\\] D. Pang. \"Cryptographic Techniques for Safer Firmware.\" electronicdesign.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[10\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--9628a59b-34c1-46f0-a4b4-60f4f33bc452",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.055781Z",
"modified": "2025-04-21T14:20:07.055781Z",
"name": "Validated Cryptographic Libraries",
"description": "Devices should use validated cryptographic libraries (e.g., adhering to FIPS-140 or equivalent). These are libraries that have been examined, tested, and vetted for safety, security, and protection against side-channels by independent laboratories according to industry approved specifications. Building cryptographic libraries is a complex and difficult process that oftentimes results in libraries that have issues either with the generation or processing of cryptographic primitives or the processing of implemented algorithms over the input data.\n\nAdditionally, if any of the above issues do arise, using libraries that aren\u2019t validated and aren\u2019t maintained could lead to vulnerabilities persisting while fixes are developed. Therefore, using widely used, well maintained, and validated cryptographic libraries is a safer way to manage device cryptography. Vulnerabilities will be less likely to arise and, if/when they do, the wide level of use and maintenance will mean that patches should come quickly for it.\n\nLimitations: By using a widely used library, a device\u2019s cryptographic library is more likely to be targeted, which could lead to the device being vulnerable to exploitation.\n\nConsideration: Devices that use cryptographic algorithms may introduce threats via the choice or implementation of the cryptographic algorithm or software. Device builders should take precautionary steps wherever possible to mitigate this threat. See *MID-044 - Strong Cryptographic Algorithms and Protocols* for more information about choosing a good algorithm.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.3 \u2013 Use of cryptography",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-027",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] NIST. \"Cryptographic Module Validation Program.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] J. Flores. \"Microsoft SDL cryptographic recommendations.\" microsoft.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--2c1f7fed-2ae5-41ec-a796-8b18a506c85f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.055984Z",
"modified": "2025-04-21T14:20:07.055984Z",
"name": "Hardware-backed Key Storage",
"description": "Using hardware-backed keystores allows a device to benefit from hardware-based protections for preventing key extraction or manipulation, as opposed to relying on weaker software-only protections. Hardware-backed keystores leverage dedicated hardware and hardware abstraction layers to provide security features, such as storing a root-of-trust, keys, certificates or sensitive data. Hardware-backed keystores can take different forms and can be integrated with various functionalities, such as secure elements, TPMs, or cryptographic coprocessors to offer more secure key management. For example, Android has been using hardware-backed keystores for digital signing and verification operations, key generation, and the storage of asymmetric key signing pairs. \\[1\\]\\[2\\]\\[3\\]\\[4\\]\n\nPhysical Unclonable Functions (PUFs) are a hardware-based approach for deriving authentication credentials, device identifiers, or other cryptographic secrets from the analog characteristics of an physical integrated circuit\u2019s implementation. Under the right conditions, a PUF can form the basis for a hardware-backed key in a fashion that is inherently unique to each device and more difficult to extract than one generated and stored in non-volatile memory during manufacturing or provisioning. PUF implementations are often categorized based on how many unique challenge-response pairs (CRPs) they are capable of generating. Simpler \u201cweak\u201d PUFs have few (or one) CRPs making them more appropriate for generating material like secret keys. \u201cStrong\u201d PUFs can respond to a large number of different challenge inputs enabling more rigorous device authentication schemes. A variety of PUF implementation styles have been proposed (with varying properties) and many can be found in commercially available microprocessors, FPGAs, and cryptographic modules. \\[5\\]\\[6\\]\\[7\\]\\[8\\]\n\nConsideration: *MID-060 - Dedicated Cryptographic Processors* will include key storage mechanisms and will enable secure operation using the keys. It is also a more comprehensive and complicated mitigation.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.9 \u2013 Strength of public key-based authentication: RE (1) Hardware security for public key-based authentication\n\n- CR 1.14 \u2013 Strength of symmetric key-based Authentication: RE (1) Hardware security for symmetric key-based authentication\n\n- CR 1.5 \u2013 Authenticator management: RE (1) Hardware security for authenticators",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-028",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Android. \"Hardware-backed Keystore.\" android.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] Rambus. \"Hardware Root of Trust: Everything you need to know.\" rambus.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] V. Zimmer and M. Krau. \"Establishing the Root of Trust.\" uefi.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] Analog Devices. \"Secure Element.\" analog.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] C. Herder, M. -D. Yu, F. Koushanfar and S. Devadas, \"Physical Unclonable Functions and Applications: A Tutorial,\" in\u00a0*Proceedings of the IEEE*, vol. 102, no. 8, pp. 1126-1141, Aug. 2014, doi: [10.1109/JPROC.2014.2320516](https://doi.org/10.1109/JPROC.2014.2320516).\n\n\\[6\\] J. Hertz. \u201cAn Introduction to Physically Unclonable Functions.\u201d All About Circuits. Accessed: Mar. 31, 2025. \\[Online.\\] Available: \n\n\\[7\\] J. Hertz. \u201cPhysically Unclonable Functions: Classification, Evaluation, and Tradeoffs in PUFs.\u201d All About Circuits. Accessed: Mar. 31, 2025. \\[Online.\\] Available: \n\n\\[8\\] \u201cTypes of physical unclonable function.\u201d Wikipedia. Accessed: Mar. 31, 2025. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--683cf8f4-72d2-472f-b250-70fa06e4fd13",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.056182Z",
"modified": "2025-04-21T14:20:07.056182Z",
"name": "Hardware Root of Trust",
"description": "A hardware root of trust (RoT) is a piece of hardware that typically stores the software code for critical boot functions that execute before any other functions on the device can operate. For example, 1st stage bootloader code stored in a hardware RoTs can be used to check firmware or later-stage bootloader authenticity and integrity before installing and running. This then allows the device to have a degree of certainty that the low-level code it is running is secure.\n\nUsually, a hardware RoT consists of cryptographic keys and minimal boot code that uses the keys to ensure that the next piece of code is trusted to run. In the case of an immutable RoT, the cryptographic keys are immutable, for example written in OTP (One-Time Programmable) memory, and the boot code is immutable (BootROM).\n\nConsideration: Making a RoT immutable can provide greater assurance by preventing the RoT from being tampered with by threat actors. If the RoT can never be changed, then threat actors cannot manipulate it to perform malicious actions. However, if a RoT is immutable and a vulnerability is found in the code stored within it, there are no ways to patch the device (see TID-220). Code on RoTs should therefore have minimal complexity and should be developed and deployed with the highest possible code quality standards.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.12 \u2013 Provisioning product supplier roots of trust",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-029",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] ARM. \"Booting a secure system.\" arm.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] ST. \"Getting started with STiRoT (ST immutable Root of Trust) for STM32H5 MCUs.\" st.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--1b9a61eb-ba6c-4963-98b1-c882cafe9782",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.056377Z",
"modified": "2025-04-21T14:20:07.056377Z",
"name": "Firmware Rollback Protections",
"description": "To deploy firmware rollback protections, devices need to take steps to ensure that once new firmware has been deployed and is confirmed to be operational on the device, older firmware cannot be deployed again. There are many ways to handle increasing firmware version numbers, with two implementations being an automatic update on reset and an update on command.\n\n\u201cAutomatic update on reset\u201d \\[1\\] involves the Boot ROM updating the anti-rollback reference version when a newer version has been successfully loaded. To reach a success stage, the new image must pass all secure boot checks, such as the authenticity and integrity checks in *MID-026 - Secure Firmware Update.* This method gives no window of attack for threat actors trying to rollback firmware between updates and firmware success, however it also means that if there are errors in the firmware the user cannot revert to the last-known-good copy. Vendors themselves however can still rollback to a previous version by repackaging the firmware and distributing it with new version numbers \\[1\\].\n\n\u201cUpdate on command\u201d \\[1\\] involves the anti-rollback reference version being updated in response to a secure message from an authorized management service. The previous version is therefore revoked only after the device management service signals that the newer version has no identified faults. This means that the device will be able to revert to an earlier version of the firmware before they receive the final message. While this gives users increased flexibility because they can choose to accept or reject firmware after trying it out, it also means that devices are left vulnerable during the window between firmware update and when the secure message is received. Additionally, this method may leave devices vulnerable to a denial-of-service attack that can be initiated by blocking the secure completion message. The device will therefore never accept the firmware and won\u2019t begin operations \\[1\\].\n\nConsideration: If an attacker can spoof the anti-rollback references to increment the versions, the device could be rendered inoperable. Vendors must ensure that only authorized software is able to update the anti-rollback references. See *MID-026 - Secure Firmware Update* for more information. Given the risks and challenges in creating a resilient rollback protection feature, device designers should carefully consider whether this mitigation is appropriate for their use case before pursuing it.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.10 \u2013 Support for updates\n\n- SAR / EDR / HDR / NDR 3.2 \u2013 Protection for malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-030",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] ARM. \"Platform Security Model.\" psacertificed.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--b46e0705-358f-4ff2-a015-36d38cba90ba",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.056574Z",
"modified": "2025-04-21T14:20:07.056574Z",
"name": "Physical Presence Validation",
"description": "Requirements such as a key being inserted, a button being pressed, a switch being flipped, etc. can provide a device with guarantees around the physical presence of an operator. Devices can then choose to not perform a critical operation until that physical step is taken, with a lack of action (e.g. a device being left in \"run mode\" and not being put in \"program mode\") preventing all critical actions. This can prevent threat actors from undertaking malicious actions because the device will reject any changes or actions while in an operating mode that does not accept changes.\n\nLimitations: Devices that require physical presence may be difficult to manage in remote locations, can increase response or update rollout timelines, and provide limited benefits in locations that have poor physical security. For those reasons, it may not be suitable for all devices or environments.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 2.1 \u2013 Authorization enforcement",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-031",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] A. Regensheid. \"NIST 800-193 - Platform Firmware Resiliency Guidelines.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--12bb6f57-6b0f-4ddd-a15c-98657151d49b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.056763Z",
"modified": "2025-04-21T14:20:07.056763Z",
"name": "System Service Availability Manager",
"description": "Methods to monitor and restart services, such as software and hardware-based watchdogs, can add additional resilience and prevent devices from falling into complete deadlock states or failing. This is because these mechanisms will monitor and send restart service signals that will ensure that critical processes cannot die indefinitely. Additionally, if a device cannot safely have its services restarted, these monitors can be used to alert users about device-level activity.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.1 \u2013 Denial of service protection\n\nCR 7.2 \u2013 Resource management",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-032",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] K. Odom. \"What Is a Watchdog Timer and Why Is It Important?\" ti.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] DigiKey's North American Editors. \"Improving IoT System Robustness Using Watchdog Timers.\" digikey.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] MITRE. \"Watchdog Timers.\" mitre.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--b165f5a6-3c3c-43f9-82c6-d7c15016dd00",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.056952Z",
"modified": "2025-04-21T14:20:07.056952Z",
"name": "Unique and Unpredictable Factory Preinstalled Secret Keys",
"description": "Using unique and unpredictable keys lowers the risk to devices because the compromise of one device will not reveal keys used on other devices. If keys are not unique or are predictable, threat actors that can extract a key from one device may be able to leverage that key across multiple devices. Therefore, if unique and unpredictable keys per device are used, threat actors have less opportunities to exploit devices before patches are available when one device is compromised.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.2 \u2013 Software process and device identification and authentication - (1) Unique identification and authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-033",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Apple. \u201cApple Platform Security.\u201d apple.com. Accessed: Aug. 26, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--4c202b86-bea7-46ac-9a79-8d5693fef44b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.057143Z",
"modified": "2025-04-21T14:20:07.057143Z",
"name": "Authenticate Network Messages",
"description": "Authenticating network traffic makes it more difficult for threat actors to leverage unauthenticated network data sent by or to the device. A lack of message authentication can result in the device accepting and remaining unaware of messages spoofed or modified by an attacker with network access to the device. By authenticating network traffic, threat actors cannot send any data that will be accepted unless they also compromise the corresponding authentication credentials.\n\nNetwork authentication can be implemented via several technical means, including message authentication codes (MACs), authenticated encryption (AE), and digital certificates/signatures that are used to protect all or part of the network packet or protocol message. These schemes allow the device receiving the network traffic to perform cryptographic checks of the data to ensure that it originated from a trusted source and has not been modified in-transit. Only then will it parse the message and process data within.\n\nNote: Authentication should be paired with *MID-035 - Encrypt Network Traffic* to prevent eavesdropping.\n\nLimitations: Malicious actors may be able to circumvent authentication protections through various means. When implementing session authentication, best practices should be followed to prevent authentication attacks (replay, spoofed users, default accounts, etc.)",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.1 \u2013 Communication integrity (1) Communication authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-034",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] okta. \"Authentication Protocols 101: Definition, Types, and When to Use.\" okta.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] nile. \"Secure Network Authentication Methods, Types, and Protocols.\" nilesecure.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] Cloudflare. \"What is TLS (Transport Layer Security)?.\" cloudflare.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--e187f689-2fe4-423f-a628-7dfeebcdd137",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.057337Z",
"modified": "2025-04-21T14:20:07.057337Z",
"name": "Encrypt Network Traffic",
"description": "Encrypting network traffic typically involves taking network data and running it through an encryption algorithm such that the network data cannot be read in its encrypted form - this achieves data confidentiality. Therefore, encrypting network traffic allows devices to share critical or secret information without worrying about a third party reading the data.\n\nSome encryption algorithms, such as AES-GCM, include authentication and integrity features to give the receiving devices some guarantees that their data has not been tampered with. See *MID-034 - Authenticate Network Messages* for more information.\n\nLastly, besides the implementation of the cryptographic library itself, other related architecture considerations must be made. These can include using a secure and validated algorithm (*MID-044 - Strong Cryptographic Algorithms and Protocols*), secure key storage, secure key sharing/agreement (e.g., DH), and secure key generation (*MID-047 - Sufficient Entropy for Keys*), to name a few.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.1 \u2013 Information confidentiality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-035",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] K. McKay and D. Cooper. \"NIST 800-52r2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] E. Barker, A. Roginsky, and R. Davis. \"NIST 800-133r2 - Recommendation for Cryptographic Key Generation.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] Y. Sheffer, R. Holz, and P. Saint-Andre. \"Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).\" ietf.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] NIST. \"Cryptographic Module Validation Program.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[5\\] M. Turnan, E. Barker, J. Kelsey, K. McKay, M. Baish, and M. Boyle. \"NIST 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--9743eac6-39dc-45a9-b363-e068896aec81",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.057536Z",
"modified": "2025-04-21T14:20:07.057536Z",
"name": "Cryptographic Nonces",
"description": "A nonce is a piece of data, typically a number, that is created uniquely per message to ensure that messages cannot be replayed. When a device receives a message, it checks the nonce to make sure that the nonce is still valid, and if it is, it will accept the message. If the nonce is no longer valid, the device will know that the same message was sent to them multiple times, potentially indicating a replay attack, and will reject the message.\n\nThe first nonce in a communication is oftentimes sent in the first message by the device that is initiating the communication. The nonce will then undergo some operation that both the sender and receiver know. Subsequently, in every message the device will receive a transmission with a nonce, perform the operation, and send the new nonce in the next message. This results in a situation where every message has a unique nonce and the sender and receiver can know what the next nonce will be in advance, but the adversary cannot derive it as they do not know the operation or initial nonce.\n\nNonces can sometimes be implemented alongside *MID-037 - Network Timestamps* to give devices time windows and unique message identifiers to work with. If the device is not using a timestamp, it will have to ensure that the nonce is it using is sufficiently large or random so that it cannot be guessed. If it can be guessed, it may be possible for threat actors to send malicious messages with valid nonces. For example, if a device uses a counter as the initial nonce and adding one as its operation, it may be possible for a threat actor to guess the next number in sequence. A random-number generator with a hashing function on the other hand would produce results that are much harder to guess.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.3 \u2013 Use of cryptography\u00a0\n\n- CR 3.1 \u2013 Communication integrity (1) Communication authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-036",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] E. Barker. \"NIST 800-89 - Recommendation for Obtaining Assurances for Digital Signature Applications.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] okta. \"What is a Cryptographic Nonce? Definition and Meaning.\" okta.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--29acb791-fa65-44c0-9492-dd296c1a59fe",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.057734Z",
"modified": "2025-04-21T14:20:07.057734Z",
"name": "Network Timestamps",
"description": "Network timestamps have multiple use-cases in a device. They can be used to reject messages that are too old, be used as unique seeds for certain functions, aid with logging, and be used to synchronize network data interactions across multiple devices. Timestamps can also be used to prevent replay attacks, either as an additional piece of information alongside a nonce (*MID-036 - Cryptographic Nonces*) or to reject data that is too old, which may be another indicator of a replayed message.\n\nLimitations: Timestamp-based packet rejection may present operational issues if network guarantees aren't met or if adversaries derive a means to slow down packet delivery. In both of these cases, valid packets may be delivered late, and the device may reject them.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.1 \u2013 Communication integrity (1) Communication authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-037",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] E. Barker. \"NIST 800-89 - Recommendation for Obtaining Assurances for Digital Signature Applications.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] E. Barker. \"NIST 800-102 - Recommendation for Digital Signature Timeliness.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \\]\n\n\\[3\\] F. Farha, H. Ning, S. Yang, J. Xu, W. Zhang and K. -K. R. Choo, \"Timestamp Scheme to Mitigate Replay Attacks in Secure ZigBee Networks,\" in IEEE Transactions on Mobile Computing, vol. 21, no. 1, pp. 342-351, 1 Jan. 2022, doi: 10.1109/TMC.2020.3006905."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--e93c9ffb-878b-4532-8c38-e898e2eb3bb4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.057938Z",
"modified": "2025-04-21T14:20:07.057938Z",
"name": "Authenticate for Administrative Actions",
"description": "Administrative actions on a device usually involve a subset of device actions that, if undertaken, could have an impact on the integrity of the device or its operations. These may include accessing certain I/O interfaces, changing the roles of another user, changing user permissions or credentials, using debugging modes, or altering device operating states, to name a few. Because these actions could have a large impact on device operations, users should have to authenticate to perform administrative actions and should only be allowed to take actions that they are permitted to after authentication.\n\nLimitations: If the threat actor can gain access to valid credentials, they will be able to subvert these protections. Adding in mitigations like *MID-031 - Physical Presence Validation* will increase its efficacy because threat actors won\u2019t be able to perform administrative actions without first authenticating and demonstrating physical access to the device. Physical security measures, such as locks and gates, can then be used as a line for cyber defense.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.1 \u2013 Human user interaction and authentication\u00a0\n\n- CR 2.1 \u2013 Authorization Enforcement",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-038",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--7a99028a-e2a6-4cab-a897-d380a4c64955",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.05813Z",
"modified": "2025-04-21T14:20:07.05813Z",
"name": "Restrict Software Diagnostic Functions",
"description": "Diagnostic software functions or modes oftentimes give users who control them access to low-level device information. This control could involve read/write permissions of raw memory, process control, process monitoring, and power information, for example. To prevent a threat actor from having this level of access, device designers could either remove the functionality or, if it is needed, heavily restrict its usage.\n\nIf a device doesn\u2019t need diagnostic functionality, it is more secure for that device to not have any present. Diagnostic functions provide a large threat vector for threat actors because of their inherently privileged nature. By removing the functionality, threat actors have no already-installed tool on the device that gives them such low level access.\n\nIf a device must have diagnostic functionality, those functions should be heavily restricted. One way this can be done is by restricting the diagnostic functions to certain processes. This could limit the potential impact of a threat actor because they would be scoped to a narrow part of the device. Another way to implement this is by using a processor that has features to prevent unintended tampering (open states, restricted state, and closed state). This would provide a hardware-enforced means to limit the ability of a remote threat actor from accessing the diagnostic functions.\n\nLimitations: If threat actors are able to take control over the protection mechanisms that grant or revoke diagnostic functionality access, they may be able to escalate their privileges and take control over a device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.1 \u2013 Human user interaction and authentication\u00a0\n\n- CR 2.1 \u2013 Authorization Enforcement\u00a0\n\n- CR 6.1 \u2013 Audit log accessibility\n\n- CR 3.7 \u2013 Error handling\n\n- CR 3.9 \u2013 Protection of audit information",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-039",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8a6f11a8-1d57-4994-86ef-a3acc02b59f4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.058319Z",
"modified": "2025-04-21T14:20:07.058319Z",
"name": "Cryptographically Signed Custom Programs",
"description": "For programmable devices like PLCs, signing programs gives the device the ability to ensure that the programs that they are installing and running originate from a verified source. If the programs are not signed, it may be possible for a threat actor to install malicious programs that alter device behavior.\n\nDevices can enable these capabilities by allowing the device to accept, store, and use verifying keys to verify that a program is signed. If the program is not signed, the device should automatically reject the new program and send out an alert.\n\nUsers should be able to generate signing and verifying keys (public and private asymmetric keys) and send the verifying key to downstream devices that will be receiving programs. Programs can then be signed, either by Integrated Development Environments (IDEs) or another signing mechanism and distributed to the device for verification and deployment.\n\nNote: This mitigation is heavily dependent on the security of the source of the programs/application. Many devices, such as PLCs, require the deployment of custom programs that are developed individually at each organization.\n\nLimitation: This would require a dedicated signing key to be deployed within the IDE and a verifying key within the end device. Ideally this would be a unique signing key for every organization, however, this would require each organization to perform the key initialization and exchange with each new IDE or device. This scheme gets more complex as typically there are many IDEs within an organization that may need to deploy programs to a device, further organizations need to perform key escrow to store keys, otherwise if the IDEs and associated keys are lost, they will be unable to deploy programs to the device. If organizational keys are not used, and the same signing key is used across an entire product line, a threat actor may be able to extract this key from the IDE (such as through reverse engineering) and then use it to sign an unauthorized program.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code\n\n- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-040",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Codesys. \"Protecting an Application.\" codesys.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--572d51bd-fb54-495f-bf9e-29ec719e569e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.058541Z",
"modified": "2025-04-21T14:20:07.058541Z",
"name": "Cryptographically Signed Vendor-supplied Programs",
"description": "Vendor programs, libraries, and other software components are guaranteed to come from a single source, the vendor. Therefore, vendors can use a digital signing scheme where their programs are signed using the vendor\u2019s private key and can be verified using the device\u2019s public key. This signing scheme would ensure that only vendor-supplied programs would be accepted, downloaded, and executed.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-041",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--db0015a7-1e67-44b1-a547-8918e014b933",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.058757Z",
"modified": "2025-04-21T14:20:07.058757Z",
"name": "Device Checks Consistency Between Binary/Running Code and Textual Code",
"description": "Devices, such as Programmable Logic Controllers (PLCs), oftentimes will have two copies of a program stored in their memory. One copy is the compiled binary that is executing run on the device - this program is machine readable but would be difficult for a human to easily read. The other copy is a textual code representation of the program. This form is in a human-readable format and is typically the form of the code that the programmer worked on before the program download. It is this latter copy that is returned to the programmer when using \u201cupload from device\u201d functions in the IDE. The binary and textual representations should be cryptographically bound so that the IDE can test whether the textual representation matches the executable representation.\n\nOne way to ensure consistency would be to perform upload both the running binaries and text code during a program upload. The IDE would then be able to recompile the text code and perform hashes over it and the binary code to check for consistency. Another way to do this would be to compile the text code on the device itself and then hash both it and the running binaries and then compare them.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-042",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] S. Brizinov. \"The Old Switcheroo: Hiding Code on Rockwell Automation PLCs.\" claroty.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--e7c03953-1097-4fa9-8247-beda4c65905e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.058962Z",
"modified": "2025-04-21T14:20:07.058962Z",
"name": "Manage Default Login Credentials",
"description": "If it is necessary for a device to ship with default passwords for user accounts, these passwords should be unique, random, and not based on any inherent device properties (such as serial number or MAC address). Additionally, these default passwords should be at least 8 characters long and contain a mix of uppercase and lowercase letters and numbers. Users can access these default passwords through physical access to the device or the device\u2019s documentation delivered with the hardware.\n\nUsers can be prompted upon the first-time use of the device to change the default passwords and should be able to change them at any time after.\n\nIn some cases, it may be better to ship a device without default credentials. In this scenario, users can be prompted upon first use of the device to set credentials.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.1 \u2013 Human user identification and authentication: RE (1) Unique identification and authentication\n\n- CR 1.5 \u2013 Authenticator management",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-043",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] CISA. \"Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.\" cisa.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] P. Grassi, J. Fenton, E. Newton, R. Perlner, A. Regensheid, W. Burr, J. Richer, N. Lefkovitz, J. Danker, Y. Choong, K. Greene, and M. Theofanos. \"NIST 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--38136af8-d2d7-4edb-8282-394c564ec034",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.059178Z",
"modified": "2025-04-21T14:20:07.059178Z",
"name": "Strong Cryptographic Algorithms and Protocols",
"description": "Device implementors should use cryptographic libraries that have been validated and rigorously tested against different cryptographic attacks. \u201cRolling your own crypto\u201d, meaning creating and using homemade cryptographic algorithms, has been shown to be riskier than using heavily tested and validated libraries due to the tendency of individuals or small teams not being able to match the validation process and cryptographic rigor supplied by dedicated teams of experts.\n\nChoosing a strong cryptographic algorithm or primitive is not always sufficient, there are often many pitfalls in using it safely and correctly. Network communications, user authentication handshakes, data protection, and other protocols are implemented using cryptographic algorithms and operations to protect information and achieve other desired security guarantees. Devices should implement protocols that are widely used, well tested, verified for security assurances, and utilize strong cryptographic algorithms. Examples of these are WPA3 and TLS.\n\nNote: Chosen protocols should incorporate anti-metadata analysis features such as packet length standardization, packet frequency standardization, header length standardization, etc. Overall, packet metadata shouldn't be able to be used to derive the contents of encrypted messages. This is only needed where confidentiality exists and is important to device security \\[3\\] \\[4\\] \\[5\\].\n\nNote: Many leading cryptographic algorithms are publicly available for use and inspection, meaning that device implementors can verify for themselves that the algorithms are safe to use and compatible with their devices.\n\nNote: Choosing a high-quality implementation of the desired cryptographic tools is very important to ensure that they will operate as intended and that cryptographic security guarantees cannot be undermined by implementation flaws. See *MID-027 - Validated Cryptographic Library* for more information. In addition to library choice, other related architecture considerations must be made. These can include secure key storage (*MID-028 - Hardware-backed Key Storage*) and secure key generation (*MID-047 - Sufficient Entropy for Keys*), to name a few.\n\nNote: Encryption may introduce operational difficulties and constraints. Review all processes and functional requirements when encrypting traffic in transit.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.3 \u2013 Use of cryptography\u00a0\n\n- CR 1.14 \u2013 Strength of symmetric key-based authentication\u00a0\n\n- CR 1.9 \u2013 Strength of public key-based authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-044",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] S. Morrow. \"The Dangers of \"Rolling Your Own\" Encryption.\" infosecinstitute.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] NIST. \"Cryptographic Module Validation Program.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] C. Tezcan. \"On Hiding Message Length in Symmetric-key Cryptography.\" forgottenlance.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[4\\] Alyami M, Alghamdi A, Alkhowaiter MA, Zou C, Solihin Y. Random Segmentation: New Traffic Obfuscation against Packet-Size-Based Side-Channel Attacks. *Electronics*. 2023; 12(18):3816. \n\n\\[5\\] S. Xiong, A. D. Sarwate and N. B. Mandayam, \"Defending Against Packet-Size Side-Channel Attacks in Iot Networks,\" *2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)*, Calgary, AB, Canada, 2018, pp. 2027-2031, doi: 10.1109/ICASSP.2018.8461330.\n\n\\[6\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--064de415-3fdb-41e4-9842-2bc98b0d9693",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.059391Z",
"modified": "2025-04-21T14:20:07.059391Z",
"name": "Multi-factor Authentication",
"description": "Multi-factor authentication \u201crequires users to present two or more authentication factors at login to verify their identity before they are granted access.\u201d \\[1\\] These typically include some combination of 1) something you know, like a password; 2) something you have, like a hardware or mobile token; or 3) something you are, such as fingerprints or other biometric data \\[1, 2\\]. Devices will not authenticate a user unless all required forms of authentication are presented.\n\nThreat actors therefore will not be able to authenticate to a device with simple username/password combinations that can be intercepted, phished, guessed by brute-force, or otherwise acquired.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.1 \u2013 Human user interaction and authentication: RE (2) Multifactor authentication for all interfaces",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-045",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] CISA. \"Multi-factor Authentication.\" cisa.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] P. Grassi, J. Fenton, E. Newton, R. Perlner, A. Regensheid, W. Burr, J. Richer, N. Lefkovitz, J. Danker, Y. Choong, K. Greene, and M. Theofanos. \"NIST 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] H. Guevera. \u201cMulti-factor Authentication Guide.\u201d Auth0 by Okta Blog. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--dbe52fb3-2f2f-4842-94ce-1110b7636cb2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.059596Z",
"modified": "2025-04-21T14:20:07.059596Z",
"name": "Authentication Attempts Timeouts and Lockouts",
"description": "Implementing a lockout or delay after a certain number of incorrect guesses increases the time it would take threat actors successfully guess a password.\n\nProgressively increasing lockouts are a common implementation pattern. For example, a device may institute a 1-minute lockout after 5 wrong guesses, 3-minute lockout after 10 wrong guesses, 30-minute lockout after 20 wrong guesses, and so on. The threat actor therefore has to wait 34 minutes just to guess 20 passwords, while legitimate users that mistype their password once or twice are minimally impacted.\n\nDepending on the environment, lockouts can also be used. A lockout would instead lock the device so that no more authentication attempts can be made after a certain amount of password attempts were performed. Lockouts present risks to the device because devices will be unusable until the lockout is lifted, meaning that a denial-of-service-type effect is possible. This lockout can be lifted either through some authenticated administrative process and/or by requiring physical presence on the device (see *MID-031 - Physical Presence Validation* for more information).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.11 \u2013 Unsuccessful login attempts\u00a0\n\n- CR 2.5 \u2013 Session lock",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-046",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--717ee3d4-2ece-440b-a0f1-c914df8227f0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.05981Z",
"modified": "2025-04-21T14:20:07.05981Z",
"name": "Sufficient Entropy for Keys",
"description": "To create sufficiently random keys, devices need a source of data with a high degree of entropy to ensure that the keys are not predictable. If a device does not have a source of sufficient entropy and tries to create a key, it may be possible that the inputs that seeded the key or pseudo-random number generator (PRNG) can be guessed and therefore threat actors may be able to recreate the key or predict the PRNG output. By using a high degree of entropy, keys and seeds are fully random and cannot be recreated by threat actors, thereby making them cryptographically stronger.\n\nDevices typically feed their entropy pools by collecting the unpredictable least significant bits from device events like the absolute and relative timing between things like hardware interrupts, user input, and other similarly unpredictable events. Complex devices like desktop and server PCs can rely on plentiful sources of such events. Embedded devices often do not have as rich a set of hardware, may have no direct interactive user input, fewer processes and applications executing, and are generally more regular and constrained in their actions. This can result in embedded systems having a shallower pool of entropy to draw upon when the need to generate cryptographic keys arises.\n\nOperations that consume data from an entropy pool to generate keys of seed PRNGs must wait until a sufficient quantity is available. To avoid (potentially long) pauses in operation, especially at boot up, some devices have been known to use non-blocking sources, and as a result the keys they generated were predictable and vulnerable to attack. To remain secure, devices should use a blocking entropy pool that waits until there is sufficient entropy to fulfill the request for random numbers. If the device doesn\u2019t have a way to generate enough entropy on first boot, devices may require mechanisms to obtain additional sufficient entropy (e.g. ask for random user inputs). If that is not practical, the design may need to be modified to include a cryptographic quality hardware-based random number generator (see *MID-048 - Hardware Random Number Generator* and *MID-060 - Dedicated Hardware Cryptographic Modules*).\n\nNote: Using sufficiently random keys is an important part of maintaining the security guarantees that a good cryptographic algorithm will provide. See *MID-044 - Strong Cryptographic Algorithms and Protocols* for more information about cryptographic algorithms.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.3 \u2013 Use of cryptography",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-047",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] E. Barker, A. Roginsky, R. Davis, \u201cRecommendation for Cryptographic Key Generation\u201d, NIST, Special Publication 800-133 Revision 2, 2020. doi: 10.6028/NIST.SP.800-133r2\n\n\\[2\\] M. T. Turam, E. Barker, J. Kelsey, K. A. McKay, M. L. Baish, M. Boyle, \u201cRecommendation for the Entropy Sources Used for Random Bit Generation\u201d, NIST, Special Publication 800-90B, 2018. doi: 10.6028/NIST.SP.800-90B\n\n\\[3\\] \u201cCryptographic Module Validation Program.\u201d NIST Computer Security Resource Center. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[4\\] Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2012. Mining your Ps and Qs: detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX conference on Security symposium (Security'12). USENIX Association, USA, 35. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f459d3d9-df9d-4cf5-9ec7-40391645e546",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.060017Z",
"modified": "2025-04-21T14:20:07.060017Z",
"name": "Hardware Random Number Generator",
"description": "Hardware random number generators, sometimes called true random number generators, are pieces of hardware that use environmental noise, such as electromagnetic or thermal data, to create random numbers. Since these devices use local data that is constantly varying to create their random numbers, it is very difficult to recreate the environment in which the number was generated. Therefore, hardware random number generators can be used to create keys that have a high degree of entropy for their seeds and themselves have a high degree of randomness.\n\nNote: Implementors should be sure to verify that the hardware RNG they are considering produces a random stream of sufficient cryptographic quality for use in key generation and not simply a hardware implementation of a lower quality pseudo-random number generator (PRNG) algorithm.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.3 \u2013 Use of cryptography",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-048",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] C. Hoffman. \"How Computers Generate Random Numbers.\" howtogeek.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] C. Shaw. \u201cHardware Random Number Generators.\u201d Cerberus Security Labs. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--989d96d7-d15a-45ce-b712-602c2da5a623",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.060207Z",
"modified": "2025-04-21T14:20:07.060207Z",
"name": "Secure Password Storage",
"description": "Passwords should be stored only in a non-reversible salted and hashed format that is calculated by a cryptographically strong hashing algorithm. Hashing algorithms are one-way algorithms that can turn data into a unique fixed-length string representation of that data. Since this algorithm is one-way, data that is hashed cannot be turned back into its cleartext form, meaning that threat actors who come across hashed passwords have to try to hash every password combination until they have a match.\n\nThreat actors have been known to use pre-calculated lookup tables of hashed potential password values to accelerate the password guessing process. Salting can prevent this from happening by increasing the required size of the lookup tables to make this approach to guessing impractical. Salts are pieces of random data that are appended to the password before hashing and then are stored with the hashed password. What this does is make the password hash unique because the password is actually the password + the hashed data. Therefore, this password cannot be found in a hash lookup table, but the salted hash can still be calculated by the device within an acceptably short time bound.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.5 \u2013 Authenticator management",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-049",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] German Federal Office for Information Security. \u201cSecure passwords in embedded devices.\u201d allianz-fuer-cybersicherheit.de. Accessed: Apr. 16, 2025. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--2a9a311e-8a23-4673-a35b-f7296d112571",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.060399Z",
"modified": "2025-04-21T14:20:07.060399Z",
"name": "Operating System Defenses Against Microarchitecture Feature Side Channels",
"description": "A device\u2019s system software (operating system, hypervisor, etc.) can take precautions to defend against data leakage due to memory timing and speculative execution side channels like Spectre and Meltdown, and other more recently discovered issues with other processor microarchitecture features.\n\nFor example, context switches can be hardened to better isolate memory between lower and higher privileged contexts, strengthening page table separation, and invalidating caches. Additionally, compiler-based mitigations like the \u201cretpoline\u201d technique are effective against the branch target injection vulnerability in Spectre.\n\nNote: Where applicable, the system firmware and OS should ensure any relevant CPU microcode updates are applied that include patches for such vulnerabilities.\n\nLimitation: These software-based defenses have unavoidable performance impacts that can be significant depending on the workload involved.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- none",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-050",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] C. Stevens, N. Poggi, T. Desrosiers, R. Xin. \u201cMeltdown and Spectre: Exploits and Mitigation Strategies.\u201d Databricks. Accessed: Aug. 27, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--116216d7-e48e-4dd8-913b-8d07a272feff",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.060596Z",
"modified": "2025-04-21T14:20:07.060596Z",
"name": "Disallow User-Provided Code",
"description": "Several threats are made easier to exploit when a device allows the execution of adversary-provided code, such as a user provided program in a PLC or JavaScript code in an embedded web browser. If this functionality is not strictly necessary to the device\u2019s feature set, devices could simply not include the functionality on the device and these threats can be avoided.\n\nNote: The inherent loss of this device functionality from this approach is not always practical (e.g., when the device is intended to be programmable). See *MID-014 \u2013 Sandboxing* and *MID-040 -* *Cryptographically Signed Custom Programs* for alternative approaches to safely handle user-provided code when it cannot be avoided.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection for malicious code\u00a0\n\n- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-051",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--e859696e-ef19-4746-a3c6-e00f14ae9c2a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.0608Z",
"modified": "2025-04-21T14:20:07.0608Z",
"name": "Physically Protect Circuit Board Traces and Chip Pins",
"description": "Data bus interception, chip readout, and other physical circuit board manipulation can be made more difficult through mechanical and design changes, such as moving bus traces to internal board layers, eliminating test headers, removing the silkscreen layer, choosing chip packages without exposed pins (e.g., BGA), placing epoxy over chips and traces, etc.\n\nAll of these mitigations hide board pins and traces, thereby making it more difficult for the threat actor to read data going to/from the chip without removing the chips themselves and altering the board, potentially damaging it beyond repair. Therefore, these mitigations increase the cost and difficulty for threat actors attempting to access information from the physical device.\n\nLimitations: This mitigation increases the level of effort required to successfully exploit this threat but is not a full solution. Skilled and well-resourced adversaries may be slowed but not deterred. This approach may be useful when stronger mitigations such as bus encryption are not feasible. Additionally, these techniques can make the system more difficult to debug during development and during failure analysis of defective units.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.11 \u2013 Physical tamper resistance and detection",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-052",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Royal Circuit Solutions. \u201cHack-Attack \u2014 PCB Design Ideas to Foil Potential Hackers.\u201d royalcircuits.com. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--bad66d3f-b053-48db-856a-4456673069e2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.060993Z",
"modified": "2025-04-21T14:20:07.060993Z",
"name": "Use IOMMU to Implement DMA Access Controls",
"description": "Many modern processors that support Direct Memory Access (DMA) also contain an Input/Output Memory Management Unit (IOMMU) that can be configured to enforce an access control policy that prevents peripherals (e.g., PCIExpress devices) from reading or writing portions of system RAM they are not authorized to. This creates a barrier for threat actors attempting to maliciously access memory directly from a compromised or untrustworthy peripheral.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection for malicious code\u00a0\n\n- CR 2.1 \u2013 Authorization enforcement",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-053",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] A. T. Markettos, C. Rothwell, B. F. Gutstein, A. Pearce, P. G. Neumann, S. W. Moore, R. N. M. Watson, \u201cThunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals,\u201d in Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, 2019, doi: 10.14722/ndss.2019.23194.\n\n\\[2\\] Apple. \u201cDirect memory access protections for Mac computers.\u201d apple.com. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--ec8c4735-fdb6-42e4-930a-874702b94c72",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.061196Z",
"modified": "2025-04-21T14:20:07.061196Z",
"name": "Encrypt and Authenticate Non-volatile Storage Contents",
"description": "Data that is stored in non-volatile storage external to the processor should be cryptographically protected, and only decrypted and authenticated within the processor at time of use. This removes opportunities for threat actors to access or modify unencrypted firmware code, configurations, or other sensitive data.\n\nLimitations: Extensive use of encryption can impact performance as data must be decrypted every time it is loaded for use. This may limit what portions of data are practical to encrypt or require migrating a design to use processors with hardware acceleration for decryption. Additionally, private and secret keys must be sufficiently protected, ideally in a hardware-backed keystore (see MID-028), or at least in on-chip memory (see MID-064) and should not be shared between devices (see MID-033).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.1 \u2013 Information confidentiality\n\n- CR 4.2 \u2013 Information persistence",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-054",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] S. Garg. \u201cProtecting Security Critical Firmware.\u201d linaro.org. Accessed: Aug. 27, 2024. \\[Online\\]. Available: \n\n\\[2\\] D. Kleidermacher, \u201cEnhance system security with better data-at-rest encryption.\u201d embedded.com. Accessed: Aug. 27, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--7ec23ed5-c8e4-4aea-af7d-d113380fb18a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.061403Z",
"modified": "2025-04-21T14:20:07.061403Z",
"name": "Use Highly Integrated Processors to Avoid Physical Attacks",
"description": "Highly integrated processors, particularly system-on-chip and system-in-package, combine some or all of processing, RAM (e.g., SRAM, DRAM), non-volatile storage, and peripherals within a single physical package. Integration of these components avoids the need to connect separate single-purpose components across a circuit board via physically accessible busses and traces. This removes many of the opportunities for a threat actor to perform bus interception, chip contents extraction, and other physical attacks.\n\nNote: Certain chips, particularly microcontrollers, utilize SRAM-based memory instead of DRAM. SRAM\u2019s lack of capacitance makes it resistant to the original cold boot attacks, however newer research has demonstrated analogous techniques for extracting the contents of SRAM-based memories, caches, and registers \\[1\\].",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.11 \u2013 Physical tamper resistance and detection",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-055",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Jubayer Mahmod and Matthew Hicks. 2022. SRAM has no chill: exploiting power domain separation to steal on-chip secrets. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '22). Association for Computing Machinery, New York, NY, USA, 1043\u20131055. [https://doi.org/10.1145/3503222.3507710](https://doi.org/10.1145/3503222.3507710)"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--31ced2d1-7193-4c13-9c5b-2a1bf6c41142",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.06159Z",
"modified": "2025-04-21T14:20:07.06159Z",
"name": "Allow Device Administrators to Disable Removable Storage Support",
"description": "If a device supports removable external storage media (e.g., USB sticks), implement device configuration options that give administrators the option to disable this support (temporarily or permanently) and reenable it only if and when needed. Disablement should account for both the OS level (e.g., mounting a filesystem) and firmware level (e.g., booting from external storage) interaction with a storage device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.7 \u2013 Least functionality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-056",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--2984a4fe-bbc7-4e4e-a573-04af3c74ade7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.061803Z",
"modified": "2025-04-21T14:20:07.061803Z",
"name": "Disable Physical Development and Debugging Ports",
"description": "Physical ports used during the device development and debugging process should be disabled or removed in devices meant for production use. This includes dedicated memory debug interfaces (e.g., JTAG), UART serial ports that expose sensitive data or command shells, or any similar port. These ports should be disabled in hardware (preferably) by engaging security fuses or at least in software. Simply depopulating physical headers on device circuit boards is not sufficient. Ideally, such ports should be disabled permanently, but if some degree of diagnostic capability is desired for production devices, reenabling one of these ports should be an authenticated administrative action.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 2.13 \u2013 Use of physical diagnostic and test interfaces",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-057",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--761e9d7d-ec5e-4b7f-a0e9-c04b0bc43b3e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.062017Z",
"modified": "2025-04-21T14:20:07.062017Z",
"name": "Engage Hardware Readout Protection Mechanisms",
"description": "Many integrated processors contain security configuration options that can be engaged to disable programming and debugging features in devices intended for production use. These can irreversibly disable debugging interfaces that can read and write device memory (e.g., JTAG, boundary scan), block flash memory readout, lock down boot options, etc.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 2.13 \u2013 Use of physical diagnostic and test interfaces\u00a0\n\n- EDR / HDR / NDR 3.11 \u2013 Physical tamper resistance and detection",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-058",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] ST. \u201cSTM32 Readout Protection (RDP).\u201d stm32world.com. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--62b56d8a-254e-4efe-9e09-0a2e524a58e2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.062225Z",
"modified": "2025-04-21T14:20:07.062225Z",
"name": "Software Patterns for Side Channel Resistance",
"description": "Adhering to certain software development patterns can increase the resistance of code to side channel data leakage and limit a threat actor\u2019s ability to extract information via timing, power, or EM-based side channel analysis. Countermeasures can be organized into three categories: *hiding* (reducing the leakage and adding noise), *masking* (disassociating leakage from sensitive values, and by protocol (e.g., limiting the usage of sensitive values like cryptographic keys). Example techniques include designing computations to be independent of sensitive values from a time or power perspective, balancing the operations on either side of conditional statements, using unpredictable ordering for bit or byte test and comparison operations, adding randomness or noise, and limiting secret key reuse.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- none",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-059",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] M. Witteman, \u201cSecure Application Programming in the presence of Side Channel Attacks,\u201d Riscure, The Netherlands. Accessed: Aug. 21, 2024. \\[Online.\\] Available: .\n\n\\[2\\] Intel. \"Security Best Practices for Side Channel Resistance.\u201d intel.com. Accessed: Aug 21, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--50ae3284-16da-4218-abe7-b88c05519927",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.062464Z",
"modified": "2025-04-21T14:20:07.062464Z",
"name": "Dedicated Hardware Cryptographic Modules",
"description": "A hardware-based cryptographic module can be an effective solution for a device when a purely software-based cryptographic library (MID-027) does not sufficiently mitigate against threats of concern (e.g., to side channel attacks, cryptographic key compromise) or meet performance constraints. Dedicated cryptographic modules can implement hardware-based defenses that are not possible in a software library. In processor-constrained designs, hardware acceleration of cryptographic algorithms can enable implementing stronger algorithms and key sizes than may be practical in a software-only solution. As with software cryptographic libraries, implementors should prefer modules that have been examined, tested, and vetted by independent laboratories according to industry approved specifications. Modules should also be evaluated for their protection against side channel attacks, especially based on power consumption and electromagnetic emittance.\n\nNote: This has several important distinctions from *MID-028 -* *Hardware-backed Key Storage.* In the MID-028 case, key material may reside in hardware-backed or hardware-based storage, but the hardware lacks the means to perform cryptographic operations using that key without exposing it to the system\u2019s processor. A fully hardware cryptographic module is capable of performing cryptographic operations internally on provided data without exposing the keys.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.3 \u2013 Use of cryptography\u00a0\n\n- CR 1.9 \u2013 Strength of public key-based authentication: RE (1) Hardware security for public key-based authentication\n\n- CR 1.14 \u2013 Strength of symmetric key-based Authentication: RE (1) Hardware security for symmetric key-based authentication\n\n- CR 1.5 \u2013 Authenticator management: RE (1) Hardware security for authenticators",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-060",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] NIST. \u201cCryptographic Module Validation Program.\u201d nist.gov. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--44eff409-d7aa-44ad-9f4d-8108a7fa5268",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.062689Z",
"modified": "2025-04-21T14:20:07.062689Z",
"name": "Use Separate Processors for Isolation",
"description": "Inter-process data leakage side channels like Spectre, Meltdown, etc. that rely on memory cache behavior, speculative execution, and similar processor features can only occur when workloads share the same processor. Isolating workloads onto multiple physically separate processors avoids any such potential problems.\n\nPartitioning workloads by criticality or security level is recommended. For example, functions that process untrusted data or otherwise make up the device\u2019s attack surface should be separated from security and functionality critical operations. Avoid separating security decisions (e.g., authorization checks, signature validations) from the data and operations they govern; doing so can introduce weaknesses that allow bypassing those checks.\n\nLimitations: Adding additional processors to separate device functions and data necessarily increases the complexity and cost of the device\u2019s hardware and software. If chosen, care must be taken to avoid introducing new vulnerabilities in the course of implementing this mitigation approach.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 2.1 \u2013 Authorization enforcement (1) Authorization enforcement for all users (humans, software processes and devices)",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-061",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Apple. \u201cSecure Enclave.\u201d apple.com. Accessed: Apr. 16, 2025. \\[Online.\\] Available: \n\n\\[2\\] K. Kostiainen, A. Dhar and S. Capkun, \"Dedicated Security Chips in the Age of Secure Enclaves,\" in IEEE Security & Privacy, vol. 18, no. 5, pp. 38-46, Sept.-Oct. 2020, doi: 10.1109/MSEC.2020.2990230."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--df49e510-a684-4eeb-b5cc-a3ac007eb773",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.062919Z",
"modified": "2025-04-21T14:20:07.062919Z",
"name": "Hardware Mitigations for Fault Injection",
"description": "Numerous hardware-level defenses have been proposed to address the different varieties of fault injection. Tunable Replica Circuits (TRCs) \\[1\\] can be used to detect voltage and clock timing changes and have been deployed within some newer commercial CPUs from Intel \\[2\\]. Brown-out detection and reset circuits, as found in some microcontrollers, have been proposed to interrupt voltage glitch attacks if sensitive enough \\[8\\], however research has shown these can be bypassed by tuning the attack carefully \\[9\\]\\[10\\] although it does increase the difficulty of the attack \\[10\\]. Comparison techniques can be used to detect attacks on processor clock signals \\[3\\]\\[4\\]. Finely targeted electromagnetic interference (EMI) attacks can bypass single chip-wide voltage and clock-based defenses but have been shown to be detectable embedding multiple detectors within a chip \\[3\\] and by phase locked loop (PLL)-based sensor circuits \\[5\\]. \\[6\\] examines several detection schemes for optical fault injection techniques, such as embedding photosensors and shielding in a chip.\n\nA combination of multiple hardware and software-based mitigation techniques (see MID-063) to address the range of fault injection types, as recommended by \\[8\\], can prove more effective than any individual mitigation.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- none",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-062",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] K. A. Bowman and J. W. Tschanz, \"Resilient microprocessor design for improving performance and energy efficiency,\" 2010 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), San Jose, CA, USA, 2010, pp. 85-88, doi: 10.1109/ICCAD.2010.5654317.\n\n\\[2\\] D. Nemiroff, C. Tokunaga, \u201cTunable Replica Circuit for Fault- Injection Detection,\u201d in Blackhat USA 2022, Las Vegas, NV, USA, 2022. Available: \n\n\\[3\\] L. Zussa et al., \"Efficiency of a glitch detector against electromagnetic fault injection,\" 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE), Dresden, Germany, 2014, pp. 1-6, doi: 10.7873/DATE.2014.216.\n\n\\[4\\] C. Deshpande, \u201cHardware Fault Attack Detection Methods for Secure Embedded Systems,\u201d M.S. dissertation, Dept. Comp. Eng., Virginia Tech, Blacksburg, VA, USA, 2017. \\[Online\\]. Available: \n\n\\[5\\] Noriyuki Miura, Zakaria Najm, Wei He, Shivam Bhasin, Xuan Thuy Ngo, Makoto Nagata, and Jean-Luc Danger. 2016. PLL to the rescue: a novel EM fault countermeasure. In Proceedings of the 53rd Annual Design Automation Conference (DAC '16). Association for Computing Machinery, New York, NY, USA, Article 90, 1\u20136. \n\n\\[6\\] N. A. Anagnostopoulos, \u201cOptical Fault Injection Attacks in Smart Card Chips and an Evaluation of Countermeasures Against Them,\u201d M.S. thesis, Dept. Comp. Sci., Univ. of Twente, Enschede, Netherlands, 2014. \\[Online\\]. Available: \n\n\\[7\\] Bilgiday Yuce, Nahid F. Ghalaty, Chinmay Deshpande, Conor Patrick, Leyla Nazhandali, and Patrick Schaumont. 2016. FAME: Fault-attack Aware Microprocessor Extensions for Hardware Fault Detection and Software Fault Response. In Proceedings of the Hardware and Architectural Support for Security and Privacy 2016 (HASP '16). Association for Computing Machinery, New York, NY, USA, Article 8, 1\u20138. \n\n\\[8\\] J. Boone, S. Q. Khan. \u201cAlternative Approaches for Fault Injection Countermeasures (Part 3/3).\u201d NCC Group. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[9\\] T. Korak and M. Hoefler, \"On the Effects of Clock and Power Supply Tampering on Two Microcontroller Platforms,\" 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, Busan, Korea (South), 2014, pp. 8-17, doi: 10.1109/FDTC.2014.11.\n\n\\[10\\] C. Bozzato, R. Focardi, and F. Palmarini. \u201cShaping the Glitch: Optimizing Voltage Fault Injection Attacks\u201d, TCHES, vol. 2019, no. 2, pp. 199\u2013224, Feb. 2019, doi: 10.13154/tches.v2019.i2.199-224.\n\n\\[11\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--90dff286-f6c8-47ef-b903-2291a2d84656",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.063145Z",
"modified": "2025-04-21T14:20:07.063145Z",
"name": "Software Mitigations for Fault Injection",
"description": "Many software-based mitigations to fault injection have been imposed. These range from coding patterns and strategies that can be used at development time, to automated compiler-based techniques, and hybrid approaches that take advantage of hardware features.\n\nCertain programming patterns can harden pieces of code against common faults \\[1\\]\\[2\\]\\[3\\]. Redundancy is one such pattern, i.e., performing certain comparisons, memory reads, or function calls multiple times and comparing the results. Others include: choosing constant flag values with a large Hamming distance between them that are hard for a fault to generate or flip between, (e.g., multi-byte random bit strings instead of 0 and 1); adding code checks for \u2018impossible\u2019 paths through logic trees that could only be reached as a result of a fault; adding random time delays to operations; checking that loops executed to completion without stopping early; etc.\n\nOther research has proposed more systematic approaches to hardening code at compile time. As compile-time approaches must be automated and generally applicable to all code, they often implement more narrow protections against specific types of faults. Examples include automating the insertion of duplicate computations and comparisons throughout an application \\[4\\] or hardening the control flow of loops \\[5\\]. Instruction duplication (ID) is one commonly proposed technique that can be automatically applied \\[6\\]\\[7\\], however it has been shown over time that ID is only effective against faults that skip single instructions \\[8\\]\\[9\\]. An attacker that can coordinate multiple faults to target each duplication can likely still achieve their objective. \\[13\\] demonstrates that such coordination is feasible with readily accessible tools.\n\nOther general-purpose protections that protect a program\u2019s control flow graph, e.g., control flow integrity (CFI), can provide some protection against faults that alter function pointers and jump addresses similar to how a software exploit would. Software-based CFI schemes \\[10\\]\\[11\\] and hardware-assisted schemes (e.g., using ARM pointer authentication) \\[12\\] have been explored. See MID-407 and MID-020 for more information on CFI and pointer authentication/encryption.\n\nA combination of multiple hardware and software-based mitigation techniques (see MID-062) to address the range of fault injection types, as recommended by \\[3\\], can prove more effective than any individual mitigation.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- none",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-063",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] M. Witterman, \u201cFault Mitigation Patterns,\u201d Riscure. \\[Online\\]. Available: \n\n\\[2\\] J. Boone, S. Q. Khan. \u201cSoftware-Based Fault Injection Countermeasures (Part 2/3).\u201d NCC Group. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[3\\] J. Boone, S. Q. Khan. \u201cAlternative Approaches for Fault Injection Countermeasures (Part 3/3).\u201d NCC Group. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[4\\] G. A. Reis, J. Chang, N. Vachharajani, R. Rangan and D. I. August, \"SWIFT: software implemented fault tolerance,\" *International Symposium on Code Generation and Optimization*, San Jose, CA, USA, 2005, pp. 243-254, doi: 10.1109/CGO.2005.34.\n\n\\[5\\] Julien Proy, Karine Heydemann, Alexandre Berzati, and Albert Cohen. 2017. Compiler-Assisted Loop Hardening Against Fault Attacks. ACM Trans. Archit. Code Optim. 14, 4, Article 36 (December 2017), 25 pages. \n\n\\[6\\] Alessandro Barenghi, Luca Breveglieri, Israel Koren, Gerardo Pelosi, and Francesco Regazzoni. 2010. Countermeasures against fault attacks on software implemented AES: effectiveness and cost. In Proceedings of the 5th Workshop on Embedded Systems Security (WESS '10). Association for Computing Machinery, New York, NY, USA, Article 7, 1\u201310. \n\n\\[7\\] Thierno Barry, Damien Courouss\u00e9, and Bruno Robisson. 2016. Compilation of a Countermeasure Against Instruction-Skip Fault Attacks. In Proceedings of the Third Workshop on Cryptography and Security in Computing Systems (CS2 '16). Association for Computing Machinery, New York, NY, USA, 1\u20136. \n\n\\[8\\] Cojocar, L., Papagiannopoulos, K., Timmers, N. (2018). Instruction Duplication: Leaky and Not Too Fault-Tolerant!. In: Eisenbarth, T., Teglia, Y. (eds) Smart Card Research and Advanced Applications. CARDIS 2017. Lecture Notes in Computer Science(), vol 10728. Springer, Cham. \n\n\\[9\\] B. Yuce, N. F. Ghalaty, H. Santapuri, C. Deshpande, C. Patrick and P. Schaumont, \"Software Fault Resistance is Futile: Effective Single-Glitch Attacks,\" *2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC)*, Santa Barbara, CA, USA, 2016, pp. 47-58, doi: 10.1109/FDTC.2016.21.\n\n\\[10\\] V. B. Thati, J. Vankeirsbilck, J. Boydens and D. Pissort, \"Selective Duplication and Selective Comparison for Data Flow Error Detection,\" *2019 4th International Conference on System Reliability and Safety (ICSRS)*, Rome, Italy, 2019, pp. 10-15, doi: 10.1109/ICSRS48664.2019.8987731.\n\n\\[11\\] R. Schilling, M. Werner and S. Mangard, \"Securing conditional branches in the presence of fault attacks,\" *2018 Design, Automation & Test in Europe Conference & Exhibition (DATE)*, Dresden, Germany, 2018, pp. 1586-1591, doi: 10.23919/DATE.2018.8342268.\n\n\\[12\\] Schilling, R., Nasahl, P., Mangard, S. (2022). FIPAC: Thwarting Fault- and Software-Induced Control-Flow Attacks with ARM Pointer Authentication. In: Balasch, J., O\u2019Flynn, C. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2022. Lecture Notes in Computer Science, vol 13211. Springer, Cham. \n\n\\[13\\] M. Alt. \u201cGlitching in 3D: Low Cost EMFI Attacks,\u201d presented at CanSecWest 2024, Vancouver, BC, Canada, March, 2024. Available: \n\n\\[14\\] J. van Woudenberg. \u201cTop 10 Secure Boot mistakes.\u201d Presented at hardware.io Hardware Security Conference and Training, Santa Clara, CA, USA, 2019. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--ec3590f3-458b-4049-847c-87dbfd9fc43f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.063361Z",
"modified": "2025-04-21T14:20:07.063361Z",
"name": "Store Critical Code and Data in On-Chip Memory",
"description": "On-chip non-volatile storage in a processor can be used to protect high-value data from extraction and modification. Many processors include ROM, NVRAM, or specialized write-once storage (e.g. security fuses). Common implementation patterns include storing keys and bootloader code used to bootstrap loading further stages of encrypted firmware (see MID-054) from external storage and to verify its authenticity as part of a secure boot chain. In other applications, the device firmware may be small enough to fit entirely within such on-chip storage (see MID-055).\n\nNote: MID-058 must be implemented as well to obtain the protection afforded by this mitigation.\n\nLimitations: Motivated attackers may resort to invasive and destructive analysis of ICs which can extact data or reset security fuses. In the case of keys and other secrets, combining this mitigation with MID-033 can prevent an invasive attack from affecting more than the single device attacked.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.11 \u2013 Physical tamper resistance and detection",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-064",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Intel. \u201cIntel Hardware Shield \u2013 Below-the-OS Security,\u201d intel.com. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--26f07105-06e7-4052-90a3-f9bf0f185901",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.063576Z",
"modified": "2025-04-21T14:20:07.063576Z",
"name": "RAM Encryption",
"description": "Some modern processors from Intel, AMD, and ARM include support for dynamically encrypting portions of memory to create secure enclaves for sensitive processes or virtual machines. This mechanism prevents unauthorized accesses to the cleartext contents of these memory regions from attacks such as (i) memory extraction through direct reads like in a Coldboot attack, (ii) DMA access to data in volatile memory not in active use, (iii) privilege escalation that gives processes direct memory reads, (iiii) reading memory being transferred into/out of volatile memory, and (iv) can reduce the effectiveness of RowHammer-style attacks from targeting specific bit flip manipulations (e.g., for privilege escalation) and reduce them to denial of service.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.1 \u2013 Information confidentiality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-065",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Intel. \u201cRuntime Encryption of Memory with Intel\u00ae Total Memory Encryption\u2013Multi-Key.\" intel.com. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[2\\] D. Kaplan, J. Powell, T. Woller, \u201dAMD Memory Encryption,\u201d amd.com, 2021. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[3\\] ARM. \u201cLearn the Architecture \u2013 Realm Management Engine.\u201d arm.com. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--2a56c9aa-78ae-4ac3-a7d0-bbd8e15eb4cc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.063781Z",
"modified": "2025-04-21T14:20:07.063781Z",
"name": "Implement Redundant Processing and Memory",
"description": "Systems that require high reliability may implement redundant memory and processors to tolerate faults. These ensure data validity before acting on it, for example by implementing a voting mechanism or other error detection algorithm. This can make a system more resistant to (1) manipulations that cause memory bit errors, such as RowHammer, as it is unlikely a majority of a redundant set of memory chips will exhibit identical bit flips when subjected to an attack, and (2) fault injection attacks if the fault is probabilistic and cannot be made to effect each redundant processor identically.\n\nLimitations: A motivated adversary may coordinate simultaneous fault injections against all of the redundant components to still achieve a successful attack, however this will be more challenging than attacking a design without redundancy. The benefits of increasing attack difficulty must be weighed against the additional complexity added to the device design and its corresponding costs and risks.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- none",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-066",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] B. Johnson, D. Caban, M. Krotofil, D. Scali, N. Brubaker, C. Glyer. \u201cAttackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure.\u201d google.com. Accessed: Apr. 14, 2025. \\[Online.\\] Available: \n\n\\[2\\] S. Habinc. \u201cFunctional Triple Modular Redundancy (FTMR) VHDL Design Methodology for Redundancy in Combinatorial and Sequential Logic.\u201d esa.int. Accessed: Apr. 14, 2025. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8ad008f0-2eb3-4fd7-b57a-4c17711a1bca",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.064031Z",
"modified": "2025-04-21T14:20:07.064031Z",
"name": "Implement DRAM RowHammer-resistant DRAM and Memory Controllers",
"description": "As DRAM densities increase and cell sizes shrink, they become increasingly vulnerable to RowHammer-style attacks. Since its discovery, many solutions have been proposed in the research community to varying degrees of success \\[1\\]. ECC memory can provide some protection against single bit errors, but multi-bit flip RowHammer variants have been demonstrated that exceed ECC\u2019s ability to correct \\[2\\]. ECC-detectable single bit errors may occur during an attempted RowHammer and provide indication to a firmware or operating system-level mitigation that an attack is underway.\n\nNewer DRAM specifications have introduced defenses, such as DDR4\u2019s Target Row Refresh (TRR) mechanism, that have made a successful RowHammer attack more difficult. However, attack methods have been refined to achieve success even on TRR-enabled DRAMs \\[3\\]. Not all DRAM modules are equally susceptible, and the memory controllers built into processors have implemented defenses of various efficacy. In \\[3\\], the authors show how to test the performance of a particular combination.\n\nJEDEC updated the DDR5 specification in 2024 (JESD79-5C) to add Per-Row Activation Counting (PRAC) \\[4\\]. PRAC-enabled DRAM chips track individual DRAM row activations and signal the memory controller when the count exceeds a threshold value indicating a potential victim row requires a refresh that the controller must then command. Recent research concludes that PRAC does mitigate a RowHammer-style attack in many cases, although is subject to potentially high performance and energy overheads \\[5\\].\n\nIf the CPU/SoC\u2019s memory controller supports it, system firmware and device operating system could cooperate with the memory controller hardware to leverage indicators from ECC, PRAC, etc. to inform additional layers of mitigation, such as identifying and terminating the offending application process conducting the RowHammer attack \\[6\\].",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.4 \u2013 Software and information integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-067",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Onur Mutlu, Ataberk Olgun, and A. Giray Ya\u011fl\u0131kc\u0131. 2023. Fundamentally Understanding and Solving RowHammer. In Proceedings of the 28th Asia and South Pacific Design Automation Conference (ASPDAC '23). Association for Computing Machinery, New York, NY, USA, 461\u2013468.\n\n\\[2\\] VUSec. \u201cECCPLOIT: ECC Memory Vulnerable to RowHammer Attacks After All.\u201d visec.net. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[3\\] P. Frigo et al., \"TRRespass: Exploiting the Many Sides of Target Row Refresh,\" 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2020, pp. 747-762, doi: 10.1109/SP40000.2020.00090.\n\n\\[4\\] JEDEC. \u201cJEDEC Updates JESD79-5C DDR5 SDRAM Standard: Elevating Performance and Security for Next-Gen Technologies.\u201d jedec.org. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[5\\] O. Canpolat, A. G. Ya\u011fl\u0131k\u00e7\u0131, G. F. Oliveira, A. Olgun, O. Ergin, O. Mutlu, \u201cUnderstanding the Security Benefits and Overheads of Emerging Industry Solutions to DRAM Read Disturbance,\u201d 2024, arXiv:2406.19094.\n\n\\[6\\] \u201cSystem Level Rowhammer Mitigation,\u201d JEDEC, JEP301-1, Mar. 2021."
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--af9c27a6-fe3d-42ba-acdc-807d835c9faa",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.06429Z",
"modified": "2025-04-21T14:20:07.06429Z",
"name": "Data Bus Encryption and Message Authentication",
"description": "Applying cryptographic solutions to inter-chip and inter-peripheral data bus messaging can protect against data interception and modification. A message authentication code (MAC) scheme can be sufficient to protect the integrity of bus data from manipulation, but a more complete encryption scheme is required to maintain confidentiality. More complex chips (e.g., microcontrollers) will often be needed on either end of the communication that have specialized support for pairing, key management, message authentication codes, and encryption. Additionally, the extra overhead of adding encryption often requires migrating to newer, more capable bus protocols that support encryption, for examples CAN-FD vs. CAN \\[1\\]. On the higher end of performance, the PCI SIG is developing the Integrity and Data Encryption feature for inclusion in a future version of the PCIe bus specification \\[2\\].\n\nApple\u2019s TouchID fingerprint authentication mechanism incorporates an example of this mitigation \\[3\\]. The device\u2019s TouchID fingerprint sensor and the Secure Enclave chip are provisioned with a unique shared key at manufacturing time. This key is used to negotiate an additional session key that encrypts and authenticates the sensor data as it passes between the two chips.\n\nLimitations: Many common PCB-level bus and interconnect protocols do not support encryption or authentication. Restricting a device design to components that do have these features may be a too limiting or too costly constraint. Device pairing and key management mechanisms and processes are necessary, add complexity to device design and manufacturing, especially to implement unique keys on each device (see MID-033).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.1 \u2013 Communication integrity: RE (1) Communication authentication\n\n- EDR / HDR / NDR 3.11 \u2013 Physical tamper resistance and detection",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-068",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] W. Busch. \u201cBoosting security in cars with CAN-FD.\u201d Avnet Silica. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[2\\] D. Harriman. \u201cIntegrity and Data Encryption (IDE) and IO Security Updates.\u201d PCI SIG. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[3\\] Apple. \u201cApple Platform Security.\u201d apple.com. Accessed: Aug. 26, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--6d9ac66a-027d-4d7e-8f2f-1480bc510d12",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.064518Z",
"modified": "2025-04-21T14:20:07.064518Z",
"name": "Electrical Fault Protection",
"description": "Externally accessible I/O ports should be protected against damaging electrical faults such as electro-static discharge (ESD), voltage transients, surges, reverse polarity, etc. Protections include adding protection circuits to vulnerable ports (e.g., protection diodes, optoisolators, etc.) and selecting ICs and other components that are more resilient to electrical faults. In addition to general guidance, industry-specific standards exist for many embedded device market domains that provide recommendations and requirements tailored more specifically to the needs of each domain (e.g., automotive, medical, etc.)",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- EDR / HDR / NDR 3.11 \u2013 Physical tamper resistance and detection",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-069",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] \u201cDesign Guide: TIDA-00731 IEC ESD, EFT, and Surge RS-485 Bus Protection Design Guide,\u201d Texas Instruments, TIDUAS1B, 2019. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[2\\] Analog Devices. \u201cESD Protection for I/O Ports.\u201d analog.com. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[3\\] V. Nandam, L. Ghulyani, \u201cSimplifying EFT, Surge and Power-Fail Protection Circuits in PLC Systems,\u201d Texas Instruments, SLVA833D, 2021. Accessed: Aug. 28, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--1cd9b54f-7675-4991-b15a-5510d3be219a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.064762Z",
"modified": "2025-04-21T14:20:07.064762Z",
"name": "Peripheral Component Authentication",
"description": "To protect against malicious or compromised peripherals, a system might institute a scheme in which peripherals are considered untrusted until authenticated and authorized to access necessary system resources (e.g., system memory for DMA). Internal system components are often implicitly trusted, although many contain firmware of their own that, if modified, may cause the device to behave maliciously. Trusting external peripherals (e.g., USB devices) is always a risk. Each of a device\u2019s processors and other components may instead treat other bus-connected components similarly to remote nodes on a network, perform cryptographic mutual authentication of a components\u2019 identities, and use this to execute trust decisions. Measurement and attestation of component firmware can add further assurance.\n\nSome Apple devices implement a form of this for certain security-sensitive components like the TouchID fingerprint reader \\[2\\].\n\nUpcoming revisions of the PCI Express specification will add the Component Measurement and Authentication (CMA) mechanism \\[1\\], which will allow a system to verify the authenticity of a PCIe device and its firmware before allowing it to access system resources, preventing malicious or compromised peripherals from obtaining the degree of system access needed to perform attacks.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 1.2 \u2013 Software process and device identification and authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-070",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] N. Edwards, T. Koulouris, M. Krause. \u201cPCIe Component Authentication.\u201d PCI SIG. Accessed: Aug. 28, 2024. \\[Online\\]. Available: \n\n\\[2\\] Apple. \u201cApple Platform Security.\u201d apple.com. Accessed: Aug. 26, 2024. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--fcbe13dc-f184-4cdb-b5d8-79bc947f6ee4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.064992Z",
"modified": "2025-04-21T14:20:07.064992Z",
"name": "Sanitized and Escaped User Data for Web Applications",
"description": "Web applications should encode all outputs of user data, put safety controls around all inputs, and store variables in safe attributes. Encoding outputs ensures that all outputted variables on the web application are converted into text before displaying. Encoded or escaped text will not execute on the user\u2019s browser, making the variables safe for display. For example, putting quotes around variables, using escape sequences, using encoding formats for special characters like single or double quotes, and putting displayed variables in safe HTML or CSS structures can all help to prevent code execution upon output. These controls should be used when the user has the ability to edit any HTML on the webpage.\n\nPotential ways to sanitize HTML input include using the JavaScript DOMPurify.sanitize() function and storing variables in safe structures or \u201csafe sinks\u201d. Safe sinks are HTML structures that will always treat the stored variable as text and therefore will never execute it.\n\nNote: It is best to use web application frameworks that have this functionality already built-in and have been well tested and are widely used.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.5 \u2013 Input validation",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-071",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OWASP. \"Cross Site Scripting Prevention Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] OWASP. \"Input Validation Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f2d5d36d-8079-457f-a4bb-00f507008b1a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.065208Z",
"modified": "2025-04-21T14:20:07.065208Z",
"name": "Parameterized SQL Queries",
"description": "Web apps should not pass SQL queries for execution by a database unless they conform to one of the recommended query formation mitigations below. Methods can include 1) only executing prepared statements with parameterized queries, 2) only executing stored procedures, and 3) allow-list input validation \\[1\\].\n\nPrepared statements with parameterized queries change the way that the web app will process a user request and form a query. When using prepared statements, the web app that processes the user data will take the user data and place it into a pre-defined section of the query, with the rest of the query already formed. Therefore, the actual SQL commands that the database will be executing are handled and compiled before the user input is processed and inserted, so the user input cannot introduce any new potentially malicious commands. This is then coupled with parameterized variables, where variables are set to be a certain type before being inserted into the SQL statement to ensure that no variable can be misconstrued as a command and not a string, for example.\n\nStored procedures are procedures that are crafted and pre-stored on the web app. They can be sent to the SQL database upon prompting from the client to the web app. Since these statements are pre-crafted and stored before the client has any interaction with the web app, the client cannot send custom queries that may be malicious. Assuming that the user data is parameterized here as well, users will not be able to inject data into the query that will not be interpreted as a literal data type. Therefore, the threat surface is lowered because the stored procedures can be implemented safely, and user input will not be able to add any new commands.\n\nAllow-list input validation is implemented by creating an allow-list of parameters for clients to choose from. This allow list can be implemented through conditionals like *if*\u2026*else* and *switch* statements. This would prevent potential commands contained in user inputs from being a part of the final SQL query statement given to the database.\n\nLimitation: If a device is using stored procedures, particular care needs to be made to what permissions the stored procedure executor has. If the device has device-level users, the user that executes the procedures may need a high-level of permissions, which could make that user a target to threat actors.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.5 \u2013 Input validation",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-072",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OWASP. \"SQL Injection Prevention Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--879f5405-8ccd-48ce-aeda-c3cfa07de206",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.065445Z",
"modified": "2025-04-21T14:20:07.065445Z",
"name": "Secure HTTP Session Management",
"description": "The web application should use session tokens or IDs to manage each authenticated user session. Core requirements for secure session management include:\n\n- Sessions tokens should be implemented using a trusted web framework to ensure that tokens are correctly assigned, enforced, tracked, and maintained to ensure that they keep their integrity and provide all necessary security guarantees.\n\n- Each session should be associated with a unique and non-predictable session IDs, which includes sufficient entropy to prevent guessing and is totally decoupled from and unrelated to any inherent user information.\n\n- Session IDs should be protected against leakage. HTTP Cookies provide multiple ways to prevent leakage, including the HTTPOnly, SameSite, Domain and Path information, expiration, and max-age secure attributes.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.8 \u2013 Session integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-073",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OWASP. \"Session Management Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--16dac18c-20e3-44d8-adbf-66f24c780ebc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.06566Z",
"modified": "2025-04-21T14:20:07.06566Z",
"name": "Cross Site Request Forgery Mitigations",
"description": "The web application should include mechanisms that will ensure that only authentic HTTP requests are processed. These mitigation mechanisms include [synchronizer token patterns](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern), [double-submit cookie patterns](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#alternative-using-a-double-submit-cookie-pattern), and [forbidding simple requests](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#disallowing-simple-requests). Additional techniques can be deployed to bolster the device\u2019s other mitigations, such as such as using [SameSite cookies](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute), using [standard headers](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#using-standard-headers-to-verify-origin), and [requiring user interaction](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#user-interaction-based-csrf-defense) for all privileged actions (instead blindly allowing actions to take place just based on the URL). Ideally a web application framework should be used to implement these mitigations to ensure they are effectively and consistently deployed.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.8 \u2013 Session integrity",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-074",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OWASP. \"Cross-Site Request Forgery Prevention Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--343136e8-66cd-4001-b3b7-a73eecced1d5",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.065868Z",
"modified": "2025-04-21T14:20:07.065868Z",
"name": "Path Traversal Protections",
"description": "To avoid path traversal attacks, devices should not use raw user input as direct inputs to file system calls. For example, OWASP \\[1\\] recommends: (i) using indexes instead of file names, (ii) validating the user\u2019s input by only accepting it if it matches predefined values, (iii) using technical mechanisms to limit where the user can access files from, and (iv) normalizing user inputs.\n\nAdditionally, devices should choose a single path to access a file and canonicalize it, as opposed to allowing all absolute paths access to that file. This can prevent threat actors from inserting alternative paths (e.g., using relative directory names or symlinks) that map to the target file but that the device was not expecting, which may result in bypassing file access control policies. Devices should convert all received paths into canonicalized absolute paths and then use the resulting canonicalized path as the subject for access control decisions.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.5 \u2013 Input validation",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-075",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OWASP. \"Path Traversal.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] OWASP. \"Input Validation Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] PortSwigger. \"Path traversal.\" portswigger.net. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--0ecdf4fc-d494-4c1b-8877-ac0e823ce6e4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.066075Z",
"modified": "2025-04-21T14:20:07.066075Z",
"name": "Web Direct Object Reference Authentication",
"description": "Every direct object reference should be governed by a session authentication and permission check \\[1\\]. Where possible, devices should use web application frameworks to host their files instead of hosting directly from their web servers. When using frameworks, ensure that all file formats associated with a web application (.txt, .pdf, documents) are being hosted on and managed by the framework \\[2\\].\n\nNote: To learn more about session authentication, see *MID-073 \u2013 Secure HTTP Session Management*.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 2.1 \u2013 Authorization enforcement: RE (1) Authorization enforcement for all users (humans, software processes and devices)",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-076",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OWASP. \"Insecure Direct Object Reference Prevention Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] D. Tidmarsh. \"Insecure Direct Object Reference (IDOR) Vulnerability Detection and Prevention.\" eccouncil.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--c3ed4132-c26d-4812-b526-43ca91e50a05",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.066297Z",
"modified": "2025-04-21T14:20:07.066297Z",
"name": "Secure Deserialization",
"description": "Serialized data should not be implicitly trusted. To check for the structure and contents of serialized data, that data needs to be deserialized, which could cause vulnerable code to run. For example, data that is serialized in a legitimately valid format may still include data that is unsafe and can lead to code injection. Input validation against the serialization format is insufficient defense in this case.\n\nWhen its use cannot be avoided, serialized data\u2019s authenticity should be checked prior to performing deserialization, such as signing it to verify the authenticity of the origin of the data. Additionally, if data needs to be serialized/deserialized, simpler structures and formats should be preferred that are easier to verify for safety prior to deserialization.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.5 \u2013 Input validation\u00a0\n\n- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-077",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] OWASP. \"Deserialization Cheat Sheet.\" owasp.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] B. Vermeer. \"Serialization and deserialization in Java: explaining the Java deserialize vulnerability.\" synk.io. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--9ab5eb97-9b19-4a53-af75-99a637920000",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.066516Z",
"modified": "2025-04-21T14:20:07.066516Z",
"name": "HTTP Request/Response Validation",
"description": "HTTP requests should be checked for special characters (CR, LF, etc.) to ensure parsing logic errors do not occur, such as one request being broken into two separate requests. Additionally, HTTP requests should have enforceable and robust request-length checks.\n\nAny request that fails these two checks should be rejected and the TCP connection facilitating it should be closed. By using these two validating mechanisms, devices can ensure that no extra text, such as the insertion of malicious requests, can be added to the legitimate request.\n\nNote: HTTP/2 includes features such as length checking and should be used end-to-end wherever possible.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 3.5 \u2013 Input validation",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-078",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] PortSwigger. \"HTTP request smuggling.\" portswigger.net. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--64e0ee28-6847-4551-b215-39da960ca68c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.066725Z",
"modified": "2025-04-21T14:20:07.066725Z",
"name": "Remove Undocumented Network Functionality",
"description": "All network protocol functionality, including function codes, should be documented and available to the owners/operators of a device. The presence of undocumented functionality prevents device operators from adequately taking precautions and monitoring network behavior based on a device's potential threat landscape. Without proper documentation, device users have no knowledge of what function codes are going over their network, leaving them exposed to potential threats and preventing them from implementing security features on their network, such as a message-level firewalls.\n\nDocumentation should include (i) describing the full set of function codes or message types that the device produces or accepts, (ii) functions that affect device management or can cause configuration changes, and (iii) authentication and encryption modes and mechanisms it is capable of. Any functions that are not meant for use in a production environment should be removed. The device operator should have full knowledge of any network-accessible function that can affect the behavior or performance of the device.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.7 \u2013 Least functionality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-079",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": ""
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--da62947b-f3ad-40b9-9e97-57798fb4c3d3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.066945Z",
"modified": "2025-04-21T14:20:07.066945Z",
"name": "Network Request Processing Limits",
"description": "A device can be susceptible to denial-of-service when its ability to process network messages and requests is overwhelmed by a threat actor, causing device resources (e.g., processing, memory, bandwidth, ports, etc.) to be exhausted and leading it to become unresponsive. The effect is magnified when asymmetries exist allowing small messages, which are inexpensive for an attacker to generate, lead to expensive response processing on the device.\n\nTechnical mechanisms to implement this mitigation can include timeout functions that will return/cancel request processing after a set amount of time after the request is made, limiting the overall bandwidth that a device will process, constraining the number of active connections a device will support, instituting request queue management and prioritization, or separating request handler code paths so that resource limits can be imposed on them. These mechanisms can work together to ensure that the network protocol handlers and services remain responsive, and that no one handler, or source of traffic, can monopolize all system processing resources.\n\nIf protocol designs allow for it, expensive operations should not be performed as a result of unauthenticated or pre-authentication messages (*MID-034 - Authenticate Network Traffic)*, constraining threat actors\u2019 access to easily access the most exhaustible resources.\n\nNote: Device creators should take care to ensure that the processing limits do not become the target of denial-of-service attacks themselves. For example, if a device only allows one connection at a time, threat actors may try to occupy that connection, preventing legitimate users from communicating.\n\nLimitation: Device-level mitigations cannot cope with flooding attacks that simply overwhelm the bandwidth capacity of the device\u2019s network link. In this case, upstream network devices must impose appropriate rate limits.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 7.1 \u2013 Denial of service protection\n\n- CR 7.2 \u2013 Resource management",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-080",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Cloudflare. \"What is Rate limiting? \\| Rate limiting and bots.\" cloudflare.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] MITRE. \"Limit Access to Resource Over Network.\" mitre.org. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8796a481-334e-43c0-b3fe-412c5f6f19f1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.067163Z",
"modified": "2025-04-21T14:20:07.067163Z",
"name": "Secure Network Tunnels",
"description": "When a protocol itself does not support authentication, encryption, and/or message integrity checking, secure network tunnels can be implemented to provide communications with those security features. Secure network tunnels are best used when devices need to support a specific insecure protocol, either for functionality or to support legacy devices, and cannot have that protocol replaced by a protocol that is more secure by default.\n\nSecure network tunnels will wrap a protocol in a more secure protocol (e.g., TLS, IPsec, SSH tunneling, etc.) that provides security features such as encryption, authentication, and message integrity checking. These added features make sending spoofed, illegitimate, or replayed messages more difficult.\n\nTo enable secure network tunnels, both the sending and receiving device must be compatible with the secure tunnel protocol and the underlying wrapped protocol. If the devices themselves cannot be made compatible with the wrapping protocol, a dedicated gateway device can be placed between the incompatible device and upstream network to implement the tunnel. Therefore, the downstream device may continue to use the insecure underlying protocol, while it is shielded within the tunnel while traversing intervening networks.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.1 \u2013 Information confidentiality\n\n- CR 3.1 \u2013 Communication integrity: RE (1) Communication authentication",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-081",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] W. Floyd. \"The TLS (Transport Layer Security) Protocol in Secure Modbus/TCP.\" control.com. Accessed: Aug. 28, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--5dd947ea-3405-4e37-9ec3-449c9e004be0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.067372Z",
"modified": "2025-04-21T14:20:07.067372Z",
"name": "Post-quantum Cryptography",
"description": "Post-quantum cryptography refers to a class of cryptographic algorithms that are resistant to attacks by quantum computers, which could otherwise undermine the non-quantum-resistant algorithms\u2019 cryptographic guarantees (e.g., RSA, Diffie-Hellman, ECC, etc.). By using these post-quantum algorithms, devices can make their communications more secure against attacks by future quantum computers which may enter practical use during the expected lifetime of the device.\n\nLimitations: Current post-quantum cryptographic schemes and algorithms are still emerging \\[2\\]\\[3\\] and may require some time before implementations become widely available in cryptographic libraries (see MID-027) and hardware modules (MID-060).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.3 \u2013 Use of cryptography",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-082",
"x_mitre_emb3d_mitigation_maturity": "intermediate",
"x_mitre_emb3d_mitigation_references": "\\[1\\] L. Chen, S. Jordan, Y. Liu, D. Moody, R. Peralta, R. Perlner, and D. Smith-Tone. \"NIST IR 8105 - Report on Post-Quantum Cryptography.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[2\\] NIST. \"NIST Announces First Four Quantum-Resistant Cryptographic Algorithms.\" nist.gov. Accessed: Aug. 28, 2024. \\[Online.\\] Available: \n\n\\[3\\] NIST. \u201cNIST Releases First 3 Finalized Post-Quantum Encryption Standards.\u201d nist.gov. Accessed: Sep. 5, 2024. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--83cb878c-dbdd-44c8-90f0-dda87adfaa16",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.067597Z",
"modified": "2025-04-21T14:20:07.067597Z",
"name": "Network Firewall/Access Control List",
"description": "If a device has routing capabilities, the device should have a firewall and access control list (ACL) present to prevent unintended network connections from being made and maintained. Firewalls and ACLs, when properly configured, can be used to drop packets and block undesired data flows.\n\nNote: Any change to this firewall and ACL rules should be logged for future audits (*MID-017 - Security-relevant Auditing and Logging*) and authenticated to prevent threat actor tampering (*MID-018 - Require Authentication for Privileged Functions*).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 5.1 \u2013 Network segmentation",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-083",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] E. Amoany. \u201cHow to configure a firewall on Linux with firewalld.\u201d redhat.com. Accessed: Apr. 14, 2025. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--13021d0e-8cb2-4d94-8f97-c3e8ff2437d3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.067805Z",
"modified": "2025-04-21T14:20:07.067805Z",
"name": "Restrict Sensitive Data from Logs",
"description": "Device logs should not contain information that would be overly beneficial to a threat actor if they were to obtain them. For example, logging user-input password attempts in cleartext, private certificates in cleartext, full path names, core-dumps or process debug messages, or PII could give threat actors the ability to escalate their attack. Device logs should instead contain only information that is necessary for detecting malicious behavior on the device or auditing.\n\nOne way to do this would be to log usernames and limited related user-information, along with the action that the user took, but not necessarily all the information associated with that action or user. For example, a device could log that a user attempted to sign-in to the device from a given IP address, but not what password they used. Another example could be logging that a new public/private certificate by a given user in a given file, but not necessarily the private key itself associated with the action.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 4.1 \u2013 Information confidentiality",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-084",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] CQR. \u201cInformation Leakage through Debug Information.\u201d cqr.company. Accessed: Mar. 11. 2025. \\[Online\\]. Available: \n\n\\[2\\] OWASP. \u201cLogging Cheat Sheet.\u201d owasp.org. Accessed: Mar. 11. 2025. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--f98ba543-b89b-4533-b4bd-6bda268cc1ea",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.068023Z",
"modified": "2025-04-21T14:20:07.068023Z",
"name": "Export Logs Over the Network Off of Device",
"description": "Exporting logs over the network to a network-accessible server can decrease the ability for threat actors to impact device owner/defender via log manipulation. For example, a threat actor that can manipulate logs on the device after they are logged and placed into an on-device database will not necessarily be able to manipulate the logs that are sent over the network, as long as they are sent before they can be edited by a user in the database. Therefore, threat actors that are trying to hide their tracks or confuse defenders looking at these logs will not be able to completely blind defenders to the actions on their device. Also, by storing logs on a separate server, device owners can cross-reference on-device logs with server-stored logs to check for discrepancies during routine or automated device audits. A discrepancy will likely lead to the discovery of device failure or malicious behavior.\n\nConsideration: Sending data over the network to be logged comes with non-security engineering tradeoffs. One benefit is that by logging data over the network devices don\u2019t have to worry about on-device storage limitations. The device can store a limited number of relevant logs (say, the past 200 events) and the rest of the historical data can be viewed on the logging server. Some downsides of remote logging though include having to worry about network bandwidth capabilities, available processing power, and battery life. However, some IoT platforms-as-a-service have features that can make the logging and storing of logs process easier.\n\nNote: Exporting logs over the network will mean that the device has property *PID-41: Device exposes remote network services*, and therefore the device should take into account threats related to PID-41 and its applicable sub-properties.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR 6.1 \u2013 Audit log accessibility\n\n- CR 3.9 \u2013 Protection of audit information",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-085",
"x_mitre_emb3d_mitigation_maturity": "foundational",
"x_mitre_emb3d_mitigation_references": "\\[1\\] C. Binnie. \u201cRemote Logging With Syslog, Part 1: The Basics.\u201d linux.com. Accessed: Mar. 11. 2025. \\[Online\\]. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--5b76f672-de71-4c9c-9d13-b8a7ae4d6b20",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.068241Z",
"modified": "2025-04-21T14:20:07.068241Z",
"name": "Hardware Enforcement of Memory Access",
"description": "A lack of authenticating program memory accesses, coupled with insecure code, can give threat actors near total control over a program or machine. Threat actors can gain this control by acquiring the ability to change memory locations that a given pointer points to, manipulate return addresses that functions are jumping to (such as in a ROP attack), or alter underlying memory itself from otherwise forbidden processes.\n\nAuthenticating program memory access using hardware backed features, such as hardware-backed capabilities, can prevent this behavior. Capabilities are a way to address memory where pointers are replaced with a new data structure, called a capability, that holds both an address and access rights metadata such as read/write permissions and permissible memory bounds. This is sometimes done by physically extending register space, or by creating abstracted virtual registers consisting of 2 physical registers.\n\nCapabilities can give an operating system memory bounds checking, memory access control, and pointer integrity checking. In the event that one of these protections are violated, the program will trap to the OS or will throw a well-defined error. Backing this enforcement in hardware involves extending these protections through methods like extending physical memory address registers, to give extra room for the capability metadata, or enforcing the memory accesses using dedicated instructions or processors so they cannot be changed in software.\n\nOne example of this can be seen by the Capability Hardware Enhanced RISC Instructions (CHERI) capability model. CHERI achieves memory protection by using a capability coprocessor, which defines compiler-managed capability registers, and tagged memory, which protects in-memory capabilities. OSes then leverage both of these features with some custom instructions (called the CHERI ISA) to implement hardware-backed capability addressing. CHERI enables the enforcement of these memory addresses by having the OS tag the physical memory address register before it is translated to a virtual memory address, ensuring that the register address cannot be tampered with after creation. The OS can then use the dedicated CHERI instructions to check that a given memory access matches the permissions found in the capability metadata. If the check is successful, then the access continues, otherwise, the OS will reject the access and fail gracefully.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- SAR / EDR / HDR / NDR 3.2 \u2013 Protection from malicious code",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-086",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] T. Chen, D. Chisnall. \u201cPointer Tagging for Memory Safety.\u201d microsoft.com. Accessed: Mar. 24, 2025. \\[Online.\\] Available: \n\n\\[2\\] J. Woodruff, R. Watson, D. Chisnall, S. Moore, J. Anderson, B. Davis, B. Laurie, P. Neumann, R. Norton, M. Roe. \u201cThe CHERI capability model: Revisiting RISC in an age of risk.\u201d ac.uk. Accessed: Apr. 09, 2025. \\[Online.\\] Available: \n\n\\[3\\] D. Chisnall. \u201cCHERI Myths: CHERI is incompatible with safety-critical systems.\u201d cheriot.org. Accessed: Mar. 24, 2025. \\[Online.\\] Available: \n\n\\[4\\] CheriBSD. \u201cCheriBSD.\u201d www.cheribsd.org. Accessed: Apr. 14, 2025. \\[Online.\\] Available: \n\n\\[5\\] D. Chisnall. \u201cCHERIoT Programmers\u2019 Guide.\u201d cheriot.org. Accessed: Mar. 24, 2025. \\[Online.\\] Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--b83d4f63-c6d8-4482-be54-9ce8d77c7168",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.06847Z",
"modified": "2025-04-21T14:20:07.06847Z",
"name": "Utilization of Formally Verified OS (Micro-)Kernels",
"description": "Formal verification is the process of proving, typically with an aid of automated or semi-automated tooling, that a particular code module or function satisfies the desired requirements. Depending on the size and complexity of the code to be verified, formal verification can be a time-consuming effort requiring significant expertise. One way developers to leverage formal verification at lower cost is to use pre-existing code that has already been formally verified.\n\nCritical security functions of a device\u2019s OS kernel that have undergone formal verification have been inter-process communication (IPC), hardware interactions, managing the kernel stack and data spaces, handling process interrupts, and more. One example of a formally verified microkernel is seL4, whose implementation on ARM and RISCV64 has proofs demonstrating that the proper use of the kernel will enforce integrity and confidentiality, which are core security properties. What this means in the case of seL4 is that the kernel will always operate in a predictable way in accordance with its specification, and never in any other way. Since its specification guarantees process separation and inter-process tamper protection, users can be sure that this will never occur on their kernel.\n\nWhile formally verified microkernels can be used as traditional kernels, with userspace processes running on top of the kernel, they can also be used as a hypervisor for the device. When used as a hypervisor, the microkernel will run a virtualized environment as a dedicated set of processes, with the virtualized environment likely having its own kernel and userspace. This allows for a more traditional operating system to be run on devices using microkernels in instances where the traditional OS\u2019s functionality is required, but with the added benefit of isolating the environment from other processes on the device (such as other virtual environments or dedicated processes).\n\nLimitations: Only properties that were scoped into the formal OS kernel specification, verification, and/or generator can be guaranteed to be in the resulting OS kernel, and only for the versions of a kernel compiled with specific configuration options and when running on specific hardware configurations. Kernels like seL4 often have a number of optional features and can run on hardware configurations that would invalidate the formal proof. Users will need carefully check the assumptions.\n\nLimitations: While a formally verified kernel would ensure certain properties (such as information flow isolation), these will need to be meaningfully leveraged in the system design in order to provide the desired value. For example, a system design that places all software into a single userspace partition under seL4 would not benefit from seL4\u2019s theoretical capability to isolate partitions. Another design that sets up two partitions but then creates channels allowing the two partitions to communicate in unrestricted fashion, would not fare much better.\n\nConsideration: A strong design would often combine a formally verified microkernel, isolating critical functionality into separate partitions, then making sure the code in those partitions is itself formally verified (see MID-089), or at least implemented using a memory-safe programming language (see MID-005) with cross-partition and external communication channels filtered by formally verified parsers (see MID-088).",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- None",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-087",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] seL4 Project a Series of LF Projects, LLC. \u201cThe seL4 Microkernel.\u201d sel4.systems. Accessed: Mar. 18, 2025. \\[Online\\]. Available: \n\n\\[2\\] K. Fisher, J. Launchbury, R. Richards. \u201cThe HACMS program: Using formal methods to eliminate exploitable bugs.\u201d royalsocietypublishing.org. Accessed: Mar. 18, 2025. Available: \n\n\\[3\\] What is Proved and What is Assumed. sel4.systems. Accessed: Mar. 18, 2025. \\[Online\\]. Available: \n\n\\[4\\] G. Heiser. \u201cThe seL4 Microkernel An Introduction.\u201d sel4.systems. Accessed: Mar. 18, 2025. Available: \n\n\\[5\\] M. Doran, N. Kandalaft. \u201cEmbedded Virtualization on RISC-V with seL4\u201d ieee.org. Accessed: Mar. 18, 2025. Available: "
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--963b5636-3c18-4653-8866-012a1bbfe6e3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.068708Z",
"modified": "2025-04-21T14:20:07.068708Z",
"name": "Formally Verified Parsers",
"description": "Parsers frequently have vulnerabilities that threat actors can exploit with malicious inputs. These can include parsers for the network protocol messages being ingested and/or the underlying data contained in that protocol, such as an incoming file, document, or other structured payloads. Exploits may take advantage of memory issues such as double-fetch memory calls, buffer overflows, and array out-of-bounds accesses. Another common weakness is a so-called \u201cparser differentials\u201d, where the attacker can exploit mismatches in behavior between two parsers for the same language. To avoid the presence of vulnerabilities, parser creators can use formal verification to ensure the functional correctness of the parsers with regard to a particular formal definition of the format.\n\nIn general, formal verification is the process of proving, typically with an aid of automated or semi-automated tooling, that a particular code module or function satisfies the desired requirements. Depending on the size and complexity of the code to be verified, formal verification can be a time-consuming effort requiring significant expertise. One way for developers to leverage formal verification at lower cost is to use pre-existing code and libraries that has already been formally verified, or to leverage tooling that can generate \u201ccorrect-by-construction\u201d code from specifications.\n\nFortunately, formally verified parser generators already exist. In addition to ensuring correctness, the formal verification of parsers typically provides significant security guarantees, such as guaranteeing memory and type safety, and preventing deadlock states and crashes. As a result, parser implementors and users can be sure that they will not have bugs or vulnerabilities in their code. Formally verified parsers therefore can be trusted to reject improperly structured inputs as defined by the parser specification. For example, they can be trusted to not have buffer overflows that could cause arbitrary code execution vulnerabilities when verified with respect to memory safety. Moreover, formally verified parsers can be trusted to produce a well-formed output, where each data item would have the expected size and type, thereby protecting downstream code from the effects of malicious inputs.\n\nA best practice to create trustworthy network parsers is by using formally verified parser generators that will either use formal tooling to prove their output correct, or have already been verified to always produce correct results. Generally, use of these generators involves creating a specification to describe a protocol and then feeding that specification through the generator. The generator will output usable code, assembly, and/or binaries. By having developers only create a specification, but not actually write code themselves, assurances can be provided that the final code has undergone the formal verification process and is functionally correct with regard to the specified format. Therefore, it will be free of any potential for undefined behaviors, no matter how malicious the input. Often the same protocol formal specification can be used to generate parsers in different programming languages for multiple environments, helping to ensure that different implementations will act consistently and eliminating the potential for parser differential vulnerabilities.\n\nConsiderations: Unlike most other uses of formal methods, the use of formally verified parser generators typically does not require any special expertise. It does however require capturing the target format(s) in a formal (mathematically precise) definition, which can sometimes be fulfilled in a specification for a generator. While this process can be time-consuming, it can typically be a beneficial action in its own right, as it removes any ambiguities that are almost certainly present in any less-formal specifications, such as those written in natural languages.\n\nLimitations: Only properties that were scoped into the specification and/or generator verification of the parser can be guaranteed to be in the resulting parser. Errors and vulnerabilities may still occur on the boundary of the formally verified code. If any changes, even seemingly trivial ones, are made to the generated code (such as to optimize performance), all guarantees provided by the formal methods tooling are invalidated.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- CR \u2013 3.5 Input Validation",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-088",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] T. Ramananandro. A. Rastogi, N. Swamy. \u201cEverParse: Hardening critical attack surfaces with formally proven message parsers.\u201d microsoft.com. Accessed: Mar. 18, 2025. Available: https://www.microsoft.com/en-us/research/blog/everparse-hardening-critical-attack-surfaces-with-formally-proven-message-parsers/\\[2\\] D. Wallach. \u201cSafeDocs: Safe Documents.\u201d darpa.mil. Accessed: Apr. 01, 2025. Available: \n\n\\[3\\] S. Ali and S. W. Smith, \"A Survey of Parser Differential Anti-Patterns,\"\u00a0*2023 IEEE Security and Privacy Workshops (SPW)*, San Francisco, CA, USA, 2023, pp. 105-116, doi: 10.1109/SPW59333.2023.00016.\n\n\\[4\\] H. Foster. \u201cFormal Verification.\u201d verificationacademy.com. Accessed: Mar. 18, 2025. Available: https://verificationacademy.com/topics/formal-verification/\n\n\\[5\\] Y. Cai. \u201cVest.\u201d github.com. Accessed: Mar. 18, 2025. Available: https://github.com/secure-foundations/vest?tab=readme-ov-file"
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--eb00fda7-b38d-47c8-ae7c-08e6fbb7d27b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.068944Z",
"modified": "2025-04-21T14:20:07.068944Z",
"name": "Formal Methods Verification of Critical Functionality Implementation",
"description": "In general, formal verification is the process of proving, typically with an aid of automated or semi-automated tooling, that a particular code module or function satisfies the desired requirements. Depending on the size and complexity of the code to be verified, formal verification can be a time-consuming effort requiring significant expertise. In general, it is significantly easier to verify code that was explicitly designed with formal verification in mind.\n\nFormal verification is capable of eliminating broad classes of software bugs and vulnerabilities, providing otherwise-unprecedented levels of certainty in software correctness and security. By forcing the software designers to consider implications of their design decisions, the use of formal methods often leads to \u201ccleaner\u201d more maintainable designs. In attempting to prove that a property holds, formal verification forces developers to confront and fix all the reasons the property might be violated early in software development process, eliminating costly rework that would have been needed should the errors were left undetected much further into the system development timeline.\n\nA general approach to considering formal verification for a particular system may be outlined as follows. First, what are the most critical functions in the system that are particularly important to implement correctly in order to achieve the desired system-level goals? Note that this may include both the functions directly producing the end-goal functionality for the system, the protection mechanisms for end-goal functionality, or something else. Second, are there existing formally verified implementations (see MID-087) or tools (see MID-088) for that functionality that can be leveraged? If not, what is the formal tooling that may be necessary for establishing the desired properties of the implementations \u2013 model-based code synthesis tools, model checkers, interactive theorem provers, or something else? From there, the process often becomes use-case specific, necessitating inputs from domain experts and formal verification experts to choose the right path forward.\n\nConsideration: A strong design will often combine a formally verified microkernel (see MID-087), isolating critical functionality into separate partitions, making sure the code in those partitions is itself formally verified as discussed above, and then ensuring cross-partition and external communication channels are filtered by formally verified parsers (see MID-088).\n\nLimitations: Only properties that were scoped into the formal specification, verification, and/or generator can be guaranteed to carry through into the resulting implementation. Users need to make sure their specifications are complete enough and specific enough to exclude all undesired behaviors. Additionally, users should be aware of the assumptions made in the definition of the specification as any violations of those assumptions would invalidate the proofs and make any conclusions made by the formal verification inapplicable.",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_mitigation_IEC_62443_mappings": "- None",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_mitigation_id": "MID-089",
"x_mitre_emb3d_mitigation_maturity": "leading",
"x_mitre_emb3d_mitigation_references": "\\[1\\] Aijaz Fatima. \u201cIntroduction to Formal Verification\u201d. May, 2019. \\[online\\] Accessed: Apr 15, 2025. Available: https://www.eeweb.com/introduction-to-formal-verification/\n\n\\[2\\] K. Fisher, J. Launchbury, R. Richards. \u201cThe HACMS program: Using formal methods to eliminate exploitable bugs.\u201d royalsocietypublishing.org. Accessed: Mar. 18, 2025. Available: \n\n\\[3\\] Courtney Albon \u201cDARPA touts \u2018formal methods\u2019 for nipping cyber disasters in the bud\u201d. Defense News, Feb 21, 2025. \\[online\\] Accessed: Apr 15, 2025. Available: "
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--3adb4c93-94f3-4225-8143-e9f1662e9890",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.104894Z",
"modified": "2025-04-21T14:20:07.104894Z",
"name": "Device includes a microprocessor",
"category": "Hardware",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-11"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--90355a0d-2436-492a-b12d-d6ff225e147b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105053Z",
"modified": "2025-04-21T14:20:07.105053Z",
"name": "Device includes Memory/Storage (external to CPU)",
"category": "Hardware",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-12"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--137cfbd1-5448-4004-80e4-c91d64b6908d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.10514Z",
"modified": "2025-04-21T14:20:07.10514Z",
"name": "Device includes buses for external memory/storage",
"category": "Hardware",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-121"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--7ba10f14-1478-415b-92b5-48ee38b343ef",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105242Z",
"modified": "2025-04-21T14:20:07.105242Z",
"name": "Device includes discrete chips/devices that have access to the same physical memory",
"category": "Hardware",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-122"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--bc01054b-a804-48bd-bb5a-52d5c9134a4f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105316Z",
"modified": "2025-04-21T14:20:07.105316Z",
"name": "Device includes ROM, VRAM, or removable Storage",
"category": "Hardware",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-123"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--3639c98e-9721-47b2-b13f-1ab86857b825",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105387Z",
"modified": "2025-04-21T14:20:07.105387Z",
"name": "Device includes Random Access Memory (RAM) chips",
"category": "Hardware",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-124"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--7b5204f1-e1e5-48b6-be43-5d38cc64c276",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105457Z",
"modified": "2025-04-21T14:20:07.105457Z",
"name": "Device includes DDR DRAM",
"category": "Hardware",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-1241"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--f85a5f48-65c1-46a6-9f5c-9d9349b0f4b6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105526Z",
"modified": "2025-04-21T14:20:07.105526Z",
"name": "Device includes peripheral chips and integrated data buses",
"category": "Hardware",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-13"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--b8abad02-1595-4988-ac53-c8c8074b3491",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105594Z",
"modified": "2025-04-21T14:20:07.105594Z",
"name": "Device includes external peripheral interconnects (e.g., USB, Serial)",
"category": "Hardware",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-14"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--d83557da-438c-42e1-818e-f17c40749e71",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105661Z",
"modified": "2025-04-21T14:20:07.105661Z",
"name": "Device includes a hardware access port (e.g., UART, JTAG)",
"category": "Hardware",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-15"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--917b0744-5525-4770-b5d1-4a2b4beef091",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105728Z",
"modified": "2025-04-21T14:20:07.105728Z",
"name": "Device includes a bootloader",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-21"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--10cde7df-03e8-4b4a-af42-b54ce7d83306",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105797Z",
"modified": "2025-04-21T14:20:07.105797Z",
"name": "Device includes a debugging capabilities",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-22"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--19829b9d-aef5-413b-a417-00a4be77b853",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105862Z",
"modified": "2025-04-21T14:20:07.105862Z",
"name": "Device includes OS/kernel",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-23"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--815ca225-8476-4fad-b768-e34a9e4f58cc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105928Z",
"modified": "2025-04-21T14:20:07.105928Z",
"name": "Device includes an operating system that uses drivers/modules that can be loaded",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-231"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--998a734a-dd67-4b2d-9ed6-db3ddc4c8dbe",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.105993Z",
"modified": "2025-04-21T14:20:07.105993Z",
"name": "Device includes separate users/processes with access to different OS data or functions",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-232"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--a9e8e3a2-9fbe-43d3-8ced-39226f4e1e0b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106059Z",
"modified": "2025-04-21T14:20:07.106059Z",
"name": "Device lacks an access enforcement/privilege mechanism",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-2321"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--5839bf34-03de-47df-976f-fb4114ac48e7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106125Z",
"modified": "2025-04-21T14:20:07.106125Z",
"name": "Device deploys an access enforcement/privilege mechanism",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-2322"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--fa1c0391-b2a7-4620-8447-46cf966e45a1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.10619Z",
"modified": "2025-04-21T14:20:07.10619Z",
"name": "Device includes and enforces OS user accounts",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-23221"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--accec923-0fd1-47f4-ab96-edb3c09eb98f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106261Z",
"modified": "2025-04-21T14:20:07.106261Z",
"name": "Device includes a memory management model, including protections of memory access (read-only/, executable, writable)",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-23222"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--b411bc9c-a8ed-4798-9fb3-59e8c48186e2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106326Z",
"modified": "2025-04-21T14:20:07.106326Z",
"name": "Device includes virtualization and containers",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-24"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--413aeec9-69ab-4a48-ac7c-1379163bb504",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106392Z",
"modified": "2025-04-21T14:20:07.106392Z",
"name": "Device includes containers",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-241"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--aff6155a-d857-4442-980b-8826d15e7023",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106456Z",
"modified": "2025-04-21T14:20:07.106456Z",
"name": "Device includes hypervisor",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-242"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--8baa050c-e523-4e31-9a64-583e29dc6c91",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106521Z",
"modified": "2025-04-21T14:20:07.106521Z",
"name": "Device includes software/hardware root of trust",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-25"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--71750a72-94b6-47f4-963b-1ecd0a3516ce",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106587Z",
"modified": "2025-04-21T14:20:07.106587Z",
"name": "Root of Trust is physically accessible or is not immutable",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-251"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--21f48c54-8b40-4d82-9e08-cef9018b9134",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106657Z",
"modified": "2025-04-21T14:20:07.106657Z",
"name": "Root of Trust is immutable",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-252"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--465d36ea-0218-4b90-9656-8da8e57e2472",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106726Z",
"modified": "2025-04-21T14:20:07.106726Z",
"name": "Device lacks firmware/software update support",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-26"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--48538012-7cc5-49c0-bdee-757b53654a81",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106793Z",
"modified": "2025-04-21T14:20:07.106793Z",
"name": "Device includes support for firmware/software updates",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-27"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--ba633348-d58e-45b6-82c8-9a78e2469777",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106859Z",
"modified": "2025-04-21T14:20:07.106859Z",
"name": "Device has firmware or software that is not cryptographically checked for integrity validation",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-271"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--2c01a6aa-7cdf-486d-af99-900294a4fe8b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.106924Z",
"modified": "2025-04-21T14:20:07.106924Z",
"name": "Device includes cryptographic firmware/software integrity protection mechanisms",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-272"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--b5a35dc5-8153-4b33-a438-2274784af902",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107002Z",
"modified": "2025-04-21T14:20:07.107002Z",
"name": "Device includes a shared key for firmware integrity validation",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-2721"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--20883961-33b9-4114-99f9-e2f3ec449708",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107068Z",
"modified": "2025-04-21T14:20:07.107068Z",
"name": "Device includes digitally signed firmware (with private key)",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-2722"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--ad05046b-119d-4b4a-b0d2-079019124339",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107138Z",
"modified": "2025-04-21T14:20:07.107138Z",
"name": "Device has unencrypted firmware updates",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-273"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--5476bc8c-82ae-422e-939d-32d5f039eeb1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107209Z",
"modified": "2025-04-21T14:20:07.107209Z",
"name": "Device includes user firmware/software version selection during updates",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-274"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--02e48419-b367-4882-bf01-23eb88acc335",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107273Z",
"modified": "2025-04-21T14:20:07.107273Z",
"name": "Device includes remotely-initiated firmware/software updates",
"category": "System Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-275"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--db6d37e5-9918-45f1-9328-f1ef45565f31",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107338Z",
"modified": "2025-04-21T14:20:07.107338Z",
"name": "Device stores logs of system events and information",
"category": "System Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-28"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--084f8146-e126-46a7-9dc3-b01fd6f45118",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107409Z",
"modified": "2025-04-21T14:20:07.107409Z",
"name": "Application-level software is present and running on the device",
"category": "Application Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-31"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.10748Z",
"modified": "2025-04-21T14:20:07.10748Z",
"name": "Device includes the usage of a web/HTTP applications",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-311"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--814af71a-dfa8-4434-bef2-99df781b154a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107545Z",
"modified": "2025-04-21T14:20:07.107545Z",
"name": "Device includes programming languages and libraries",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-312"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--41b86b81-99c8-438c-8e3d-aea2df315048",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107609Z",
"modified": "2025-04-21T14:20:07.107609Z",
"name": "Device includes support for object oriented programming languages(e.g., Java, Python, PHP, C++)",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-3121"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--102fb091-49d4-49f7-907a-164c9518504d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107675Z",
"modified": "2025-04-21T14:20:07.107675Z",
"name": "Device includes support for manual memory management programming languages (e.g. C, C++)",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-3122"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--7c36ce58-fc74-491c-9d87-64d46c93dedb",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107749Z",
"modified": "2025-04-21T14:20:07.107749Z",
"name": "Device includes the ability to deploy custom or external programs (e.g., ladder logic, compiled binaries)",
"category": "Application Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-32"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--165dfa3a-8f68-4f14-bbeb-a7e7077b7532",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107813Z",
"modified": "2025-04-21T14:20:07.107813Z",
"name": "Device includes ability to deploy custom programs from engineering software or IDE",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-321"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--6873f6c6-609a-468f-a9d5-76a0bd106930",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107879Z",
"modified": "2025-04-21T14:20:07.107879Z",
"name": "Device includes a program runtime environment for custom or external programs",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-322"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--d6b1247b-c6a3-4ac6-8883-541da9a7dcc7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.107947Z",
"modified": "2025-04-21T14:20:07.107947Z",
"name": "Device includes support for program executable formats",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-323"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--2ff2030f-ac28-4a68-8367-9e8429d7ca62",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108014Z",
"modified": "2025-04-21T14:20:07.108014Z",
"name": "Device includes ability to run custom/external programs as native binary without a confined/restricted environment",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-3231"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--84b99f68-0464-4bdb-9618-8f5d5ee8218d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108079Z",
"modified": "2025-04-21T14:20:07.108079Z",
"name": "Device includes ability to run custom/external programs/processes through an execution sandboxed environment",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-3232"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--c485cdcf-061d-4959-bd84-b5e917755121",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108145Z",
"modified": "2025-04-21T14:20:07.108145Z",
"name": "Device includes support for \"program uploads\" to retrieve programs from the device from an engineering workstation",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-324"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--e810ca8f-47e2-4841-922b-678ffa47862c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108209Z",
"modified": "2025-04-21T14:20:07.108209Z",
"name": "Device includes interactive applications, services, or user interfaces",
"category": "Application Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-33"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--2977754e-3e27-4961-9e81-0e4dec4a5dda",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108275Z",
"modified": "2025-04-21T14:20:07.108275Z",
"name": "Device includes unauthenticated services",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-331"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.10834Z",
"modified": "2025-04-21T14:20:07.10834Z",
"name": "Device includes authenticated services",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-332"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--5af30150-0e78-40d0-b8f3-7b0f593e02ad",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108404Z",
"modified": "2025-04-21T14:20:07.108404Z",
"name": "Device includes passwords to authenticate the users",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-3321"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--8ee39f7b-bcd8-40c4-b51c-8d76b1d06fcc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108475Z",
"modified": "2025-04-21T14:20:07.108475Z",
"name": "Device includes cryptographic mechanism to authenticate users and sessions",
"category": "Application Software",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-3322"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--bf4c9847-ef34-4382-8def-3ec5273ae5de",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108539Z",
"modified": "2025-04-21T14:20:07.108539Z",
"name": "Device stores logs of application events and information",
"category": "Application Software",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-34"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108605Z",
"modified": "2025-04-21T14:20:07.108605Z",
"name": "Device exposes remote network services",
"category": "Networking",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-41"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--3d09f49f-e07a-4bc5-9d96-6c26252103e9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.10867Z",
"modified": "2025-04-21T14:20:07.10867Z",
"name": "Device exposes remote services with the ability to send, receive, view or modify sensitive information or configurations",
"category": "Networking",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-411"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--81a41f54-32ce-43fe-aa92-fd364722a028",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108735Z",
"modified": "2025-04-21T14:20:07.108735Z",
"name": "Device lacks protocol support for message authentication",
"category": "Networking",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-4111"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--f9ef47ac-0b44-498e-b15d-370fdfd65b9d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.1088Z",
"modified": "2025-04-21T14:20:07.1088Z",
"name": "Device lacks protocol support for message encryption",
"category": "Networking",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-4112"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108872Z",
"modified": "2025-04-21T14:20:07.108872Z",
"name": "Device includes cryptographic functions for sensitive data, such as encryption or authentication",
"category": "Networking",
"is_subproperty": true,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-4113"
},
{
"type": "x-mitre-emb3d-property",
"spec_version": "2.1",
"id": "x-mitre-emb3d-property--96b75bc0-f81a-439c-b3b7-e48bb4bca882",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.108937Z",
"modified": "2025-04-21T14:20:07.108937Z",
"name": "Device includes procedure to forward or route network messages",
"category": "Networking",
"is_subproperty": false,
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0",
"x_mitre_emb3d_property_id": "PID-42"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c2cf4c9a-c50f-4532-9b67-b83f14c5090a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109011Z",
"modified": "2025-04-21T14:20:07.109011Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eeeb5034-b1a9-4abe-a58d-20415b75591f",
"target_ref": "vulnerability--03c1db93-d257-45c7-a37d-1342f1247fc3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a7941b68-c08d-4e77-a532-3daf2bd5efba",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109186Z",
"modified": "2025-04-21T14:20:07.109186Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eeeb5034-b1a9-4abe-a58d-20415b75591f",
"target_ref": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--78ee1b8e-99a2-4b0f-8060-79974befd0ea",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109269Z",
"modified": "2025-04-21T14:20:07.109269Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eeeb5034-b1a9-4abe-a58d-20415b75591f",
"target_ref": "vulnerability--2ef9b3dd-19aa-40b0-9c4c-e2a4aef35b85",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--91a19664-286b-488e-877c-63d99507447a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109348Z",
"modified": "2025-04-21T14:20:07.109348Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eeeb5034-b1a9-4abe-a58d-20415b75591f",
"target_ref": "vulnerability--99b03309-3996-4e49-9500-1ed7a700d9cd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9452041c-2fb1-4cf1-987d-70a3d678b6bc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109425Z",
"modified": "2025-04-21T14:20:07.109425Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eeeb5034-b1a9-4abe-a58d-20415b75591f",
"target_ref": "vulnerability--ed320462-9747-416e-a3f5-109ebe7ce514",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fed1f93f-3d83-40e3-b4cc-9fb811592e3c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109498Z",
"modified": "2025-04-21T14:20:07.109498Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eeeb5034-b1a9-4abe-a58d-20415b75591f",
"target_ref": "vulnerability--635d9915-c996-4044-ad11-1ce3eaec8a1c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--daf17d89-3e2e-4761-99ee-6e14b9bf93c6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109574Z",
"modified": "2025-04-21T14:20:07.109574Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8587ab09-1a39-4f81-b96f-820dff3ae1e4",
"target_ref": "vulnerability--03c1db93-d257-45c7-a37d-1342f1247fc3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--799021ae-1dbe-44b8-a665-bbd7da18be63",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109646Z",
"modified": "2025-04-21T14:20:07.109646Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8587ab09-1a39-4f81-b96f-820dff3ae1e4",
"target_ref": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c8f3116f-5d3f-42f8-8a0e-9a26126f53d9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109728Z",
"modified": "2025-04-21T14:20:07.109728Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8587ab09-1a39-4f81-b96f-820dff3ae1e4",
"target_ref": "vulnerability--2ef9b3dd-19aa-40b0-9c4c-e2a4aef35b85",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--319d67a0-4e4b-4c7e-941e-689c690e7f1c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.1098Z",
"modified": "2025-04-21T14:20:07.1098Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8587ab09-1a39-4f81-b96f-820dff3ae1e4",
"target_ref": "vulnerability--99b03309-3996-4e49-9500-1ed7a700d9cd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--eef75af4-2e88-4e5e-9bc0-6c3179cfee25",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109872Z",
"modified": "2025-04-21T14:20:07.109872Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8587ab09-1a39-4f81-b96f-820dff3ae1e4",
"target_ref": "vulnerability--ed320462-9747-416e-a3f5-109ebe7ce514",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--be6e0e6b-decc-444d-b856-bbbbb2cc7d4c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.109948Z",
"modified": "2025-04-21T14:20:07.109948Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8587ab09-1a39-4f81-b96f-820dff3ae1e4",
"target_ref": "vulnerability--635d9915-c996-4044-ad11-1ce3eaec8a1c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2c33cae3-75f4-4ac4-adad-73b110b2f86f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110021Z",
"modified": "2025-04-21T14:20:07.110021Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ccb74d86-53ad-4e13-a10b-1434b74d3d73",
"target_ref": "vulnerability--03c1db93-d257-45c7-a37d-1342f1247fc3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e36a5533-de15-45d3-bfa8-dc83a498b903",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110093Z",
"modified": "2025-04-21T14:20:07.110093Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ccb74d86-53ad-4e13-a10b-1434b74d3d73",
"target_ref": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--55ab2545-0636-4473-9d1f-a4b51d5e161b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110164Z",
"modified": "2025-04-21T14:20:07.110164Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ccb74d86-53ad-4e13-a10b-1434b74d3d73",
"target_ref": "vulnerability--99b03309-3996-4e49-9500-1ed7a700d9cd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c4e14dc0-be84-44b2-a3ff-fd5586e2d540",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110235Z",
"modified": "2025-04-21T14:20:07.110235Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ccb74d86-53ad-4e13-a10b-1434b74d3d73",
"target_ref": "vulnerability--ed320462-9747-416e-a3f5-109ebe7ce514",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f48ac029-13e9-43d6-a7fd-2d00f37b0fbd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110306Z",
"modified": "2025-04-21T14:20:07.110306Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ccb74d86-53ad-4e13-a10b-1434b74d3d73",
"target_ref": "vulnerability--635d9915-c996-4044-ad11-1ce3eaec8a1c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5fcf53b0-6d5d-4481-a650-05e226da284b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110377Z",
"modified": "2025-04-21T14:20:07.110377Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ccb74d86-53ad-4e13-a10b-1434b74d3d73",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--abdd27e2-afaa-41d0-b073-a441399cf04c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110459Z",
"modified": "2025-04-21T14:20:07.110459Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ba6a22e5-ad39-465a-8de5-e407f504c64d",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--484bbdd5-e968-4ed7-9cc3-63ed2f004a7c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110531Z",
"modified": "2025-04-21T14:20:07.110531Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ba6a22e5-ad39-465a-8de5-e407f504c64d",
"target_ref": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2b50634b-c9c8-46c8-b535-1b26c6887b57",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110603Z",
"modified": "2025-04-21T14:20:07.110603Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ba6a22e5-ad39-465a-8de5-e407f504c64d",
"target_ref": "vulnerability--b45b01bc-d3ea-42c7-b4c7-9e37f87e86b4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a26deeac-d170-45aa-8b8a-301be1340df9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110674Z",
"modified": "2025-04-21T14:20:07.110674Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ba6a22e5-ad39-465a-8de5-e407f504c64d",
"target_ref": "vulnerability--55121d60-3cc2-409b-9168-7e855dbc7404",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--01069fe1-8e19-4a00-a342-9d06c3c152e2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110745Z",
"modified": "2025-04-21T14:20:07.110745Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9523218d-4c1f-46e9-8f85-ed105bf1a3a8",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--31223194-8fad-4407-a9c6-6fee2da108cf",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110816Z",
"modified": "2025-04-21T14:20:07.110816Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9523218d-4c1f-46e9-8f85-ed105bf1a3a8",
"target_ref": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8c2fc6a0-a43e-4ad7-b66c-5601171d4ac5",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110894Z",
"modified": "2025-04-21T14:20:07.110894Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9523218d-4c1f-46e9-8f85-ed105bf1a3a8",
"target_ref": "vulnerability--b45b01bc-d3ea-42c7-b4c7-9e37f87e86b4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--79d621fa-7c69-4582-bf0a-13b7edd5edf8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.110965Z",
"modified": "2025-04-21T14:20:07.110965Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9523218d-4c1f-46e9-8f85-ed105bf1a3a8",
"target_ref": "vulnerability--55121d60-3cc2-409b-9168-7e855dbc7404",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8a3365eb-5311-4700-9329-00e3d0cc38eb",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111036Z",
"modified": "2025-04-21T14:20:07.111036Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e987e693-7a9b-409b-a965-d70c12fb7303",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d88813da-87f9-43e8-96da-4d1258b02e1e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111107Z",
"modified": "2025-04-21T14:20:07.111107Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e987e693-7a9b-409b-a965-d70c12fb7303",
"target_ref": "vulnerability--55121d60-3cc2-409b-9168-7e855dbc7404",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cd54912d-eae3-43fd-8aa6-4eb7b259cd93",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11119Z",
"modified": "2025-04-21T14:20:07.11119Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--cbadec49-5289-4fa5-96fc-45bb2dbdfc62",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--54b4076f-54d3-4315-b9e6-f1c7f721c4e4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111266Z",
"modified": "2025-04-21T14:20:07.111266Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--cbadec49-5289-4fa5-96fc-45bb2dbdfc62",
"target_ref": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c329b16d-c3e5-42e3-8718-537b4a62ac19",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111337Z",
"modified": "2025-04-21T14:20:07.111337Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--06e509b2-e700-4a87-a50d-44e3e276bbe4",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8c67330b-93da-4c2c-9ffb-2d79d1afcfa8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11141Z",
"modified": "2025-04-21T14:20:07.11141Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--06e509b2-e700-4a87-a50d-44e3e276bbe4",
"target_ref": "vulnerability--7d38e8f0-09a8-45f2-afbe-62fb6d20a1f3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e78a1ea5-570c-4d33-aa78-86f64c8ceea1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11148Z",
"modified": "2025-04-21T14:20:07.11148Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--06e509b2-e700-4a87-a50d-44e3e276bbe4",
"target_ref": "vulnerability--f099f3a2-1727-4d77-8af8-59143592e245",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7a40b72f-24e4-4e9d-a757-d4a910e4a679",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111552Z",
"modified": "2025-04-21T14:20:07.111552Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--06e509b2-e700-4a87-a50d-44e3e276bbe4",
"target_ref": "vulnerability--f7fb3293-88cf-4896-bbff-bc1e04a17a48",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f4508475-7e46-420c-968d-f8e5f344a217",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111631Z",
"modified": "2025-04-21T14:20:07.111631Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f6a83c80-4b62-49b5-8f90-1f063ae59b7d",
"target_ref": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ae7f470e-304d-4553-9a7f-b2c476962831",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111702Z",
"modified": "2025-04-21T14:20:07.111702Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f6a83c80-4b62-49b5-8f90-1f063ae59b7d",
"target_ref": "vulnerability--ed320462-9747-416e-a3f5-109ebe7ce514",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e590a0b8-17a0-4f0d-b297-cd4be14aef44",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111773Z",
"modified": "2025-04-21T14:20:07.111773Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f6a83c80-4b62-49b5-8f90-1f063ae59b7d",
"target_ref": "vulnerability--635d9915-c996-4044-ad11-1ce3eaec8a1c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ad2b2699-c36e-4cb2-a270-21c467428cd7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111855Z",
"modified": "2025-04-21T14:20:07.111855Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f6a83c80-4b62-49b5-8f90-1f063ae59b7d",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fb05e533-57cc-46b7-ac8a-0222afc9b84e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.111926Z",
"modified": "2025-04-21T14:20:07.111926Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f6a83c80-4b62-49b5-8f90-1f063ae59b7d",
"target_ref": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b4e7f1ef-9a37-457a-b448-75924ac475d1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112003Z",
"modified": "2025-04-21T14:20:07.112003Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--27f19a6f-785c-4246-9753-51ba1eab6d99",
"target_ref": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a03cd661-50c2-4ac4-877e-5a1d5adbcee0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112087Z",
"modified": "2025-04-21T14:20:07.112087Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b5828b26-1fb3-46e1-a792-e50c949dad77",
"target_ref": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e9d9e7ef-61de-4e5b-90c5-a4042febcd0f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112158Z",
"modified": "2025-04-21T14:20:07.112158Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b5828b26-1fb3-46e1-a792-e50c949dad77",
"target_ref": "vulnerability--3a61ad59-4b69-4d43-b73d-582af56b5d76",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1720f655-610a-4cd4-94cf-5326b903127b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112229Z",
"modified": "2025-04-21T14:20:07.112229Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--872ee72c-3b85-4d16-bcb4-a90e1f0da9bd",
"target_ref": "vulnerability--93670d27-5d0c-41d2-89c2-5c9b1b8dce72",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2c660273-75bf-44b2-85f3-3f09817dabf7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112312Z",
"modified": "2025-04-21T14:20:07.112312Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--872ee72c-3b85-4d16-bcb4-a90e1f0da9bd",
"target_ref": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--22005a77-245a-44e0-8980-d1aaca022180",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112383Z",
"modified": "2025-04-21T14:20:07.112383Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--872ee72c-3b85-4d16-bcb4-a90e1f0da9bd",
"target_ref": "vulnerability--b45b01bc-d3ea-42c7-b4c7-9e37f87e86b4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4c00b455-1828-433f-8993-9d7aeff54a13",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112454Z",
"modified": "2025-04-21T14:20:07.112454Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--872ee72c-3b85-4d16-bcb4-a90e1f0da9bd",
"target_ref": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--77e6cff5-8934-4656-85eb-3c51d7635610",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112528Z",
"modified": "2025-04-21T14:20:07.112528Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--872ee72c-3b85-4d16-bcb4-a90e1f0da9bd",
"target_ref": "vulnerability--bd5fb5e9-71b7-4817-acc7-349303f95aed",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--37e1e427-9cff-45a7-b383-4b9786d98dca",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112601Z",
"modified": "2025-04-21T14:20:07.112601Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--872ee72c-3b85-4d16-bcb4-a90e1f0da9bd",
"target_ref": "vulnerability--9f65791a-cb28-4dde-b903-3885e40d8f64",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--38e0d484-e32b-44b0-b7a6-d7a9a177389b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112674Z",
"modified": "2025-04-21T14:20:07.112674Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--99f476af-d683-4276-abc2-1facc268df50",
"target_ref": "vulnerability--93670d27-5d0c-41d2-89c2-5c9b1b8dce72",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--46712551-aa71-473c-9932-bd9078385c99",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112746Z",
"modified": "2025-04-21T14:20:07.112746Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--99f476af-d683-4276-abc2-1facc268df50",
"target_ref": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e12bc06b-418f-4c28-b407-d919898b653a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112816Z",
"modified": "2025-04-21T14:20:07.112816Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--99f476af-d683-4276-abc2-1facc268df50",
"target_ref": "vulnerability--55121d60-3cc2-409b-9168-7e855dbc7404",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--92fb9e6c-0dd9-4006-bd15-4b063ef76db4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112894Z",
"modified": "2025-04-21T14:20:07.112894Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"target_ref": "vulnerability--66d49313-3f95-416c-a171-438ec0479c89",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--80e21c73-e954-4a3e-9008-299fa5ab4e09",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.112965Z",
"modified": "2025-04-21T14:20:07.112965Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"target_ref": "vulnerability--0816e8cd-840c-41d3-8b0b-fe20b2e68db1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8aefc696-3465-473f-a59b-a8f853ff160d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113037Z",
"modified": "2025-04-21T14:20:07.113037Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--66166bac-5ad3-4d47-a017-0a96e5afb15d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113108Z",
"modified": "2025-04-21T14:20:07.113108Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"target_ref": "vulnerability--93670d27-5d0c-41d2-89c2-5c9b1b8dce72",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dd65b9cb-92bd-4d4f-9302-c1c3a9b91d4b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113178Z",
"modified": "2025-04-21T14:20:07.113178Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"target_ref": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--704f4a86-879e-425f-bbf0-99c63e060966",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113249Z",
"modified": "2025-04-21T14:20:07.113249Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"target_ref": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8b75cc25-c1de-44b8-b98d-27ce5370a7f9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11332Z",
"modified": "2025-04-21T14:20:07.11332Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db874a92-81d8-4b56-8730-7ba55a2473e7",
"target_ref": "vulnerability--bd5fb5e9-71b7-4817-acc7-349303f95aed",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9f6aaa3c-49db-4e2c-a3ca-f06a35327ed0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113391Z",
"modified": "2025-04-21T14:20:07.113391Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2a6eea4b-7841-43af-9052-89ab92cfb06f",
"target_ref": "vulnerability--93670d27-5d0c-41d2-89c2-5c9b1b8dce72",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--21f71d07-e44a-49b3-9953-ab8acc55a0e6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113468Z",
"modified": "2025-04-21T14:20:07.113468Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2a6eea4b-7841-43af-9052-89ab92cfb06f",
"target_ref": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--84c32813-a355-46a5-8183-cd0b28c453ca",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11354Z",
"modified": "2025-04-21T14:20:07.11354Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2a6eea4b-7841-43af-9052-89ab92cfb06f",
"target_ref": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--38039552-b1ad-4462-9603-f2c9e46d0652",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113613Z",
"modified": "2025-04-21T14:20:07.113613Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2a6eea4b-7841-43af-9052-89ab92cfb06f",
"target_ref": "vulnerability--bd5fb5e9-71b7-4817-acc7-349303f95aed",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d94b077a-9501-4382-85e3-46ae9db65087",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113684Z",
"modified": "2025-04-21T14:20:07.113684Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--d84af586-2e1e-4040-a977-9202463b10fa",
"target_ref": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8b29e465-6296-4aed-a8cd-3fe6173dbbdd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11376Z",
"modified": "2025-04-21T14:20:07.11376Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--a03c9402-b6a3-4a53-805d-a5000f65f4e7",
"target_ref": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--244334aa-6333-41a6-89b2-c7d442a301a9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.113839Z",
"modified": "2025-04-21T14:20:07.113839Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--a03c9402-b6a3-4a53-805d-a5000f65f4e7",
"target_ref": "vulnerability--1f94d3f8-d111-463e-afe3-1779ea76b7dd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e9c6bb98-270c-4521-9b4c-22a33737c587",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11391Z",
"modified": "2025-04-21T14:20:07.11391Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--a03c9402-b6a3-4a53-805d-a5000f65f4e7",
"target_ref": "vulnerability--9ee0cfb0-5e71-47be-8576-de8802eb6b7e",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--88aa3c72-c6e1-4a65-9b4d-c1bb6b9d00e8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114006Z",
"modified": "2025-04-21T14:20:07.114006Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--a03c9402-b6a3-4a53-805d-a5000f65f4e7",
"target_ref": "vulnerability--d15cb2c2-6c8d-4864-8813-21ccab54ede2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--af30c403-5a79-4ac7-bd11-26a2df4f6cb3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114081Z",
"modified": "2025-04-21T14:20:07.114081Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--64b2d6ce-b91f-4bcf-8efe-e21773a264c9",
"target_ref": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1f9d96e3-1516-4988-9ae2-1f3a4cad4830",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114159Z",
"modified": "2025-04-21T14:20:07.114159Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--64b2d6ce-b91f-4bcf-8efe-e21773a264c9",
"target_ref": "vulnerability--4e9d683d-1400-46c3-9cb5-20cf0c3757c6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--66bd2c62-5673-4a6e-ba3d-981225552564",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11424Z",
"modified": "2025-04-21T14:20:07.11424Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--64b2d6ce-b91f-4bcf-8efe-e21773a264c9",
"target_ref": "vulnerability--d15cb2c2-6c8d-4864-8813-21ccab54ede2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1a3c5670-ff6f-47aa-a68e-a47b1a824e60",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114311Z",
"modified": "2025-04-21T14:20:07.114311Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8e70538f-1149-41af-b14b-55d135cacb6a",
"target_ref": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2f1e4d24-a2cf-4961-8b79-20e2dc0c8eef",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114385Z",
"modified": "2025-04-21T14:20:07.114385Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--364abc12-f815-45b2-800b-c44bf95a99ce",
"target_ref": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8e8203b6-e7ea-4c06-b7bc-f57b697d3d7b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114457Z",
"modified": "2025-04-21T14:20:07.114457Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--715dd540-24dd-4893-b313-682dc9c1dc11",
"target_ref": "vulnerability--2f38fbfc-0a74-4657-a28d-b6c24e4dc2ee",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--106d6538-205a-4aca-abd3-c60ddfefd4b9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114528Z",
"modified": "2025-04-21T14:20:07.114528Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--dcf1e046-4998-4760-872b-1ec05f414436",
"target_ref": "vulnerability--f3280b96-b050-42e6-adb9-341ea73a2fe6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--533b6274-4e5f-4b1c-bf24-41898cf5dc16",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114599Z",
"modified": "2025-04-21T14:20:07.114599Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--dcf1e046-4998-4760-872b-1ec05f414436",
"target_ref": "vulnerability--9f65791a-cb28-4dde-b903-3885e40d8f64",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ce732ea9-bdb3-4953-9edf-d5e30d94d1e6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11467Z",
"modified": "2025-04-21T14:20:07.11467Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7670760e-d316-498f-8ef6-788a518b80f3",
"target_ref": "vulnerability--2f38fbfc-0a74-4657-a28d-b6c24e4dc2ee",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9148e594-15e7-4620-a0b1-1ccee89491b5",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11474Z",
"modified": "2025-04-21T14:20:07.11474Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7670760e-d316-498f-8ef6-788a518b80f3",
"target_ref": "vulnerability--63a42cdd-ab9d-4c2b-b5c0-d7205a94723c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dac27942-16bb-482d-9402-8057ecc8c755",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114822Z",
"modified": "2025-04-21T14:20:07.114822Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--29294cab-fcfa-4747-b96e-a54980149610",
"target_ref": "vulnerability--63a42cdd-ab9d-4c2b-b5c0-d7205a94723c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2bdc345c-6f4e-489b-8264-448b75f87d19",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114898Z",
"modified": "2025-04-21T14:20:07.114898Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b15f38b3-5989-436f-8ec2-a7722379f676",
"target_ref": "vulnerability--be1dae3a-4d6d-4842-9de6-cf5d217f0370",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ce40c631-aa4b-4793-af1d-6e6eb32db381",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.114985Z",
"modified": "2025-04-21T14:20:07.114985Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1d03d6df-472e-4740-afe3-d2d37cd74618",
"target_ref": "vulnerability--be1dae3a-4d6d-4842-9de6-cf5d217f0370",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--87f0f309-5c1f-4fc6-acca-0fe59959d3a7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115072Z",
"modified": "2025-04-21T14:20:07.115072Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1d03d6df-472e-4740-afe3-d2d37cd74618",
"target_ref": "vulnerability--2ef9b3dd-19aa-40b0-9c4c-e2a4aef35b85",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5dc1ef9b-8053-4762-89a3-10c70e3233f6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115143Z",
"modified": "2025-04-21T14:20:07.115143Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1d03d6df-472e-4740-afe3-d2d37cd74618",
"target_ref": "vulnerability--435d3f7c-68fe-4c67-b952-61d5713dad36",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3f0bb4bc-ea98-44df-91ca-f28f2f6166b9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115229Z",
"modified": "2025-04-21T14:20:07.115229Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1d03d6df-472e-4740-afe3-d2d37cd74618",
"target_ref": "vulnerability--99b03309-3996-4e49-9500-1ed7a700d9cd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--07510e19-a1e6-47fa-a06c-208853ac5e03",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115299Z",
"modified": "2025-04-21T14:20:07.115299Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1d03d6df-472e-4740-afe3-d2d37cd74618",
"target_ref": "vulnerability--502fd094-4e5d-4cf5-a644-e224bd9f469b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f1e91cda-782f-49f0-ac08-d16d02ade5b2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115383Z",
"modified": "2025-04-21T14:20:07.115383Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1d03d6df-472e-4740-afe3-d2d37cd74618",
"target_ref": "vulnerability--2f72b508-1ab5-4ae3-a3f2-63ff5e1e4a56",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--70aa0962-7aab-4e04-b27a-e0fc746ea7f3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115475Z",
"modified": "2025-04-21T14:20:07.115475Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9628a59b-34c1-46f0-a4b4-60f4f33bc452",
"target_ref": "vulnerability--3b108539-3924-4f24-94bd-aec5f03d3551",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--aec3ea10-1a91-4edc-92f0-73f43c2066a7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115556Z",
"modified": "2025-04-21T14:20:07.115556Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9628a59b-34c1-46f0-a4b4-60f4f33bc452",
"target_ref": "vulnerability--dd1c369e-1979-479e-9006-be3e0b1a2557",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9134aa25-2300-4984-89bd-ef5621bf3e8f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115631Z",
"modified": "2025-04-21T14:20:07.115631Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9628a59b-34c1-46f0-a4b4-60f4f33bc452",
"target_ref": "vulnerability--99b03309-3996-4e49-9500-1ed7a700d9cd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4500025b-a540-4f4c-83ec-c8d82801af25",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115701Z",
"modified": "2025-04-21T14:20:07.115701Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9628a59b-34c1-46f0-a4b4-60f4f33bc452",
"target_ref": "vulnerability--6f00418f-9859-4fce-966f-ffa7a4913525",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1cf7b5d2-b743-4608-af86-1294ee661c87",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115786Z",
"modified": "2025-04-21T14:20:07.115786Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9628a59b-34c1-46f0-a4b4-60f4f33bc452",
"target_ref": "vulnerability--d0ee8c9b-3b69-450d-897c-f1cb463bcb47",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d45a9bd6-ffff-4875-84eb-a8f45eb88f7f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115857Z",
"modified": "2025-04-21T14:20:07.115857Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9628a59b-34c1-46f0-a4b4-60f4f33bc452",
"target_ref": "vulnerability--1d285166-3508-48ca-a8c6-05f1117faa03",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--57321b91-5901-478f-96fd-c9619f1a87e9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.115933Z",
"modified": "2025-04-21T14:20:07.115933Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2c1f7fed-2ae5-41ec-a796-8b18a506c85f",
"target_ref": "vulnerability--02b33020-2f00-4eb7-8323-2281d41275fc",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ee198766-dece-4925-a7f5-09dcd595d64b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116012Z",
"modified": "2025-04-21T14:20:07.116012Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--683cf8f4-72d2-472f-b250-70fa06e4fd13",
"target_ref": "vulnerability--03c1db93-d257-45c7-a37d-1342f1247fc3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--59893c77-c297-4f68-bbcf-5d62984818ac",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116085Z",
"modified": "2025-04-21T14:20:07.116085Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1b9a61eb-ba6c-4963-98b1-c882cafe9782",
"target_ref": "vulnerability--e62bc4f1-d5c4-4714-b529-e1fc78f2991d",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e06cd005-180a-4ac2-8dbd-abbba6afb22a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116158Z",
"modified": "2025-04-21T14:20:07.116158Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b46e0705-358f-4ff2-a015-36d38cba90ba",
"target_ref": "vulnerability--2f72b508-1ab5-4ae3-a3f2-63ff5e1e4a56",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2e2e459b-76fb-449a-8511-a6818e9bc3f6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116229Z",
"modified": "2025-04-21T14:20:07.116229Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b46e0705-358f-4ff2-a015-36d38cba90ba",
"target_ref": "vulnerability--643c0c24-0b99-4dc4-9de2-b6d5a30334d9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d76d0477-1708-4817-917e-3f290fcfc37b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.1163Z",
"modified": "2025-04-21T14:20:07.1163Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b46e0705-358f-4ff2-a015-36d38cba90ba",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bdb39783-4880-45e0-9206-59fdeb21c845",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116372Z",
"modified": "2025-04-21T14:20:07.116372Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b46e0705-358f-4ff2-a015-36d38cba90ba",
"target_ref": "vulnerability--d15cb2c2-6c8d-4864-8813-21ccab54ede2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b079868b-df08-42fb-841e-c57c76e07df7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116443Z",
"modified": "2025-04-21T14:20:07.116443Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--12bb6f57-6b0f-4ddd-a15c-98657151d49b",
"target_ref": "vulnerability--2f72b508-1ab5-4ae3-a3f2-63ff5e1e4a56",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--52a82089-1980-4dbf-951f-7053a056dec1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116514Z",
"modified": "2025-04-21T14:20:07.116514Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--12bb6f57-6b0f-4ddd-a15c-98657151d49b",
"target_ref": "vulnerability--643c0c24-0b99-4dc4-9de2-b6d5a30334d9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--76edfced-b1d4-450d-b041-38df624e45cf",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116586Z",
"modified": "2025-04-21T14:20:07.116586Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--12bb6f57-6b0f-4ddd-a15c-98657151d49b",
"target_ref": "vulnerability--f099f3a2-1727-4d77-8af8-59143592e245",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--eb28a511-40d8-4acf-bab6-5adc9bc72ce8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116656Z",
"modified": "2025-04-21T14:20:07.116656Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--12bb6f57-6b0f-4ddd-a15c-98657151d49b",
"target_ref": "vulnerability--f7fb3293-88cf-4896-bbff-bc1e04a17a48",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--58ee4e47-134f-4f0f-96f8-ae7f46c7549d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116727Z",
"modified": "2025-04-21T14:20:07.116727Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b165f5a6-3c3c-43f9-82c6-d7c15016dd00",
"target_ref": "vulnerability--435d3f7c-68fe-4c67-b952-61d5713dad36",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f57e1ea7-bd22-491e-b884-74b33cec5bcd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116798Z",
"modified": "2025-04-21T14:20:07.116798Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b165f5a6-3c3c-43f9-82c6-d7c15016dd00",
"target_ref": "vulnerability--fe64d2c0-6201-4ccb-8ddc-35964d9b2200",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1d8c9a15-dff0-4722-9252-2990c5deb781",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116869Z",
"modified": "2025-04-21T14:20:07.116869Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b165f5a6-3c3c-43f9-82c6-d7c15016dd00",
"target_ref": "vulnerability--13394383-1d88-4ee4-b2b9-0f26fc03a657",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--825102ad-bae6-43a8-9274-4d9a9aeeec0c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.116939Z",
"modified": "2025-04-21T14:20:07.116939Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--4c202b86-bea7-46ac-9a79-8d5693fef44b",
"target_ref": "vulnerability--6317d395-281c-4677-b1a3-33e588cde84a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4327bad8-f2b5-473d-bf23-74eadb0ea7df",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117011Z",
"modified": "2025-04-21T14:20:07.117011Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--4c202b86-bea7-46ac-9a79-8d5693fef44b",
"target_ref": "vulnerability--20e1c1fe-e1de-4a80-a22e-3184f9484736",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7f40a71b-de0d-4f9d-a84e-d7bc43b795b9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117081Z",
"modified": "2025-04-21T14:20:07.117081Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e187f689-2fe4-423f-a628-7dfeebcdd137",
"target_ref": "vulnerability--0a7390e5-fb6a-4f05-84dd-1cce5466d1de",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b18ac259-11c3-4c54-bfe7-fbed524e2f41",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117152Z",
"modified": "2025-04-21T14:20:07.117152Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e187f689-2fe4-423f-a628-7dfeebcdd137",
"target_ref": "vulnerability--8b6a20c9-ae6e-4bae-9ae7-7486986a3fd0",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--75baea89-22a0-45ec-8750-abef4888ea1b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117223Z",
"modified": "2025-04-21T14:20:07.117223Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9743eac6-39dc-45a9-b363-e068896aec81",
"target_ref": "vulnerability--c8299e63-c1ee-4bbc-8486-2e7b5a5d1cad",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5902980b-21bf-4947-a9d6-e9f5a9a1d8c9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117294Z",
"modified": "2025-04-21T14:20:07.117294Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9743eac6-39dc-45a9-b363-e068896aec81",
"target_ref": "vulnerability--027d72fa-4254-45ac-b2b0-c90578336f92",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--85770f8a-a72c-4c78-8f9c-230dcb457628",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117367Z",
"modified": "2025-04-21T14:20:07.117367Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--29acb791-fa65-44c0-9492-dd296c1a59fe",
"target_ref": "vulnerability--c8299e63-c1ee-4bbc-8486-2e7b5a5d1cad",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ddba16fe-bb2a-40c8-85db-42a2fac7b3ef",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117437Z",
"modified": "2025-04-21T14:20:07.117437Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--29acb791-fa65-44c0-9492-dd296c1a59fe",
"target_ref": "vulnerability--027d72fa-4254-45ac-b2b0-c90578336f92",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--28c78891-b6ea-4cbd-82ef-61b3fd771f22",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117508Z",
"modified": "2025-04-21T14:20:07.117508Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e93c9ffb-878b-4532-8c38-e898e2eb3bb4",
"target_ref": "vulnerability--643c0c24-0b99-4dc4-9de2-b6d5a30334d9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c6bb0db3-86ba-41d9-8c95-5c6766015c58",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117578Z",
"modified": "2025-04-21T14:20:07.117578Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e93c9ffb-878b-4532-8c38-e898e2eb3bb4",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e6a5d370-efe8-404e-9a59-89c76feb7dc8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117653Z",
"modified": "2025-04-21T14:20:07.117653Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e93c9ffb-878b-4532-8c38-e898e2eb3bb4",
"target_ref": "vulnerability--85204183-21e8-44d9-bd71-a7928eb8736f",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0808dea5-41cd-45b5-b84c-08014e64f142",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117724Z",
"modified": "2025-04-21T14:20:07.117724Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e93c9ffb-878b-4532-8c38-e898e2eb3bb4",
"target_ref": "vulnerability--aa091fdb-adaa-4e89-a8c3-c40784fb73a1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--75d2099c-cb29-4d5e-baa0-e3fb68b98750",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117795Z",
"modified": "2025-04-21T14:20:07.117795Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e93c9ffb-878b-4532-8c38-e898e2eb3bb4",
"target_ref": "vulnerability--d15cb2c2-6c8d-4864-8813-21ccab54ede2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b9aaf723-6846-4636-8dd9-1dca89b73b92",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117865Z",
"modified": "2025-04-21T14:20:07.117865Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e93c9ffb-878b-4532-8c38-e898e2eb3bb4",
"target_ref": "vulnerability--4611b574-efed-4237-81a4-d9e238fb1ef4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--46ed7d6a-59f8-434c-aaad-50e3714e8b83",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.117936Z",
"modified": "2025-04-21T14:20:07.117936Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7a99028a-e2a6-4cab-a897-d380a4c64955",
"target_ref": "vulnerability--4e9d683d-1400-46c3-9cb5-20cf0c3757c6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e3c8b760-d05b-4e62-9ae8-cfc060178af6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118007Z",
"modified": "2025-04-21T14:20:07.118007Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8a6f11a8-1d57-4994-86ef-a3acc02b59f4",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4be43431-531f-4c49-bcb8-fbc95fce7b83",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118078Z",
"modified": "2025-04-21T14:20:07.118078Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--572d51bd-fb54-495f-bf9e-29ec719e569e",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2f5e4dba-cd3b-4836-ba37-cb2373041c0c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118148Z",
"modified": "2025-04-21T14:20:07.118148Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--572d51bd-fb54-495f-bf9e-29ec719e569e",
"target_ref": "vulnerability--4d11522b-19e6-4989-aad4-bce1378ad2ad",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--de17b70c-0a79-4ddb-be68-40308cef017e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118219Z",
"modified": "2025-04-21T14:20:07.118219Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--db0015a7-1e67-44b1-a547-8918e014b933",
"target_ref": "vulnerability--c98bbe9f-e478-40d5-b585-cc1bc83c8105",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--041acaf7-cdc4-4108-88d6-dfc688436cdb",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.11829Z",
"modified": "2025-04-21T14:20:07.11829Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e7c03953-1097-4fa9-8247-beda4c65905e",
"target_ref": "vulnerability--e5f90347-e6a0-412e-ab54-18aa1185ef09",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b1643eb3-d6e8-46c5-bbf5-a586c2305f99",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118361Z",
"modified": "2025-04-21T14:20:07.118361Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e7c03953-1097-4fa9-8247-beda4c65905e",
"target_ref": "vulnerability--dda83adc-ea39-4e82-92e8-5022dff4d58a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5574af49-8d5d-4aa9-ba6f-d8f070ae66ad",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118437Z",
"modified": "2025-04-21T14:20:07.118437Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--38136af8-d2d7-4edb-8282-394c564ec034",
"target_ref": "vulnerability--1d285166-3508-48ca-a8c6-05f1117faa03",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bf3d3c5a-3fdf-483c-ae3b-e48d61bb3174",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118512Z",
"modified": "2025-04-21T14:20:07.118512Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--38136af8-d2d7-4edb-8282-394c564ec034",
"target_ref": "vulnerability--a71049a8-bfe9-47cf-a645-2b3d04cd3bdb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--65ebdc81-0e35-491d-b515-54b7c23665e3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118586Z",
"modified": "2025-04-21T14:20:07.118586Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--38136af8-d2d7-4edb-8282-394c564ec034",
"target_ref": "vulnerability--7da95ae6-55cf-4cdc-ae5a-da0f86688cfb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2d42f491-75f6-4b67-bb49-3efc6587118b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118657Z",
"modified": "2025-04-21T14:20:07.118657Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--064de415-3fdb-41e4-9842-2bc98b0d9693",
"target_ref": "vulnerability--825299f4-1bab-4682-82ba-450bfb7641d1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ec3dcae5-c0bd-4604-bbdd-e466639f76c9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118729Z",
"modified": "2025-04-21T14:20:07.118729Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--dbe52fb3-2f2f-4842-94ce-1110b7636cb2",
"target_ref": "vulnerability--825299f4-1bab-4682-82ba-450bfb7641d1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6007707c-14b4-4184-b366-30beecd2a237",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118802Z",
"modified": "2025-04-21T14:20:07.118802Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--717ee3d4-2ece-440b-a0f1-c914df8227f0",
"target_ref": "vulnerability--13394383-1d88-4ee4-b2b9-0f26fc03a657",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7d009d4d-81cc-425c-9b8b-571910463217",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118873Z",
"modified": "2025-04-21T14:20:07.118873Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f459d3d9-df9d-4cf5-9ec7-40391645e546",
"target_ref": "vulnerability--13394383-1d88-4ee4-b2b9-0f26fc03a657",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6b45ab3d-36f3-4651-9ccd-ebc2688160e7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.118943Z",
"modified": "2025-04-21T14:20:07.118943Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--989d96d7-d15a-45ce-b712-602c2da5a623",
"target_ref": "vulnerability--9367d60b-3ef6-4d2a-8da3-71ffd9ea2418",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0913e1bd-cc62-4a93-8083-c506cb39d8e1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119014Z",
"modified": "2025-04-21T14:20:07.119014Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2a9a311e-8a23-4673-a35b-f7296d112571",
"target_ref": "vulnerability--66d49313-3f95-416c-a171-438ec0479c89",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bcaa1a9a-03c4-4be8-b8b8-04eeef07355e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119109Z",
"modified": "2025-04-21T14:20:07.119109Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--116216d7-e48e-4dd8-913b-8d07a272feff",
"target_ref": "vulnerability--66d49313-3f95-416c-a171-438ec0479c89",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8116ff4b-55d4-43b2-9317-829a49de65ae",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119183Z",
"modified": "2025-04-21T14:20:07.119183Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--116216d7-e48e-4dd8-913b-8d07a272feff",
"target_ref": "vulnerability--0816e8cd-840c-41d3-8b0b-fe20b2e68db1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fcb14741-3715-4992-8816-60a286a2d29c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119254Z",
"modified": "2025-04-21T14:20:07.119254Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--116216d7-e48e-4dd8-913b-8d07a272feff",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b6c04bfd-ace6-4a7d-ad83-0ab5637ddf5e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119325Z",
"modified": "2025-04-21T14:20:07.119325Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e859696e-ef19-4746-a3c6-e00f14ae9c2a",
"target_ref": "vulnerability--74aea73e-457e-454c-ace6-a6cbe3f4d6e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ee2b354f-2d38-49e3-966e-77e76c1683cd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119395Z",
"modified": "2025-04-21T14:20:07.119395Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e859696e-ef19-4746-a3c6-e00f14ae9c2a",
"target_ref": "vulnerability--79090b18-13bd-4900-bcad-a3ca29c6f4f6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dfd7f113-0a57-4b5a-87e8-009ceff64995",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119466Z",
"modified": "2025-04-21T14:20:07.119466Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e859696e-ef19-4746-a3c6-e00f14ae9c2a",
"target_ref": "vulnerability--26ed7806-6ca2-4983-8ae3-0586fbfb6c62",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bfb1f8ac-ba0b-4348-a2f0-351dddf0a469",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119537Z",
"modified": "2025-04-21T14:20:07.119537Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--e859696e-ef19-4746-a3c6-e00f14ae9c2a",
"target_ref": "vulnerability--e23294f5-0a97-4a7d-aab9-f448f713867a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c14a637e-af11-4662-90eb-e7c308b9c6df",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119608Z",
"modified": "2025-04-21T14:20:07.119608Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--bad66d3f-b053-48db-856a-4456673069e2",
"target_ref": "vulnerability--780462ac-898a-4479-819a-9fba9dde8393",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--55976ca8-1fad-4844-8cfd-2929c76216ba",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119678Z",
"modified": "2025-04-21T14:20:07.119678Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ec8c4735-fdb6-42e4-930a-874702b94c72",
"target_ref": "vulnerability--74aea73e-457e-454c-ace6-a6cbe3f4d6e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4fe0252d-8f6e-41ca-aea5-5b5554b53996",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119748Z",
"modified": "2025-04-21T14:20:07.119748Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ec8c4735-fdb6-42e4-930a-874702b94c72",
"target_ref": "vulnerability--79090b18-13bd-4900-bcad-a3ca29c6f4f6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5e7f650a-f586-4ef3-98ad-05800e802b18",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119819Z",
"modified": "2025-04-21T14:20:07.119819Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7ec23ed5-c8e4-4aea-af7d-d113380fb18a",
"target_ref": "vulnerability--74aea73e-457e-454c-ace6-a6cbe3f4d6e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5411c194-09c3-4784-be1c-326ea01be998",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119889Z",
"modified": "2025-04-21T14:20:07.119889Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7ec23ed5-c8e4-4aea-af7d-d113380fb18a",
"target_ref": "vulnerability--79090b18-13bd-4900-bcad-a3ca29c6f4f6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d3bb23d1-87e1-4ac5-8844-babb5041e353",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.119959Z",
"modified": "2025-04-21T14:20:07.119959Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7ec23ed5-c8e4-4aea-af7d-d113380fb18a",
"target_ref": "vulnerability--26ed7806-6ca2-4983-8ae3-0586fbfb6c62",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cf241907-34b2-4e12-a283-45a30343db28",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120029Z",
"modified": "2025-04-21T14:20:07.120029Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--7ec23ed5-c8e4-4aea-af7d-d113380fb18a",
"target_ref": "vulnerability--e23294f5-0a97-4a7d-aab9-f448f713867a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1e5e5c0e-b5d7-4c23-944d-9290e518be36",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.1201Z",
"modified": "2025-04-21T14:20:07.1201Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--31ced2d1-7193-4c13-9c5b-2a1bf6c41142",
"target_ref": "vulnerability--a544b3fd-4edc-4fee-809f-2660d7628cdd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--19b7f373-1060-451d-9cd3-9b61628c0e80",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120171Z",
"modified": "2025-04-21T14:20:07.120171Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2984a4fe-bbc7-4e4e-a573-04af3c74ade7",
"target_ref": "vulnerability--9b8652e5-3547-43ee-bb74-ca998b2d747c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d43c6286-027f-4516-8939-c8088944ea62",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120247Z",
"modified": "2025-04-21T14:20:07.120247Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2984a4fe-bbc7-4e4e-a573-04af3c74ade7",
"target_ref": "vulnerability--b8e18644-b25e-4294-ae02-44bf44cfeaab",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6b01aa93-0c0b-4c28-b852-a0d645648523",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120317Z",
"modified": "2025-04-21T14:20:07.120317Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2984a4fe-bbc7-4e4e-a573-04af3c74ade7",
"target_ref": "vulnerability--45d8f340-f19f-4af0-852c-a0eec57f82f5",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fa24670b-da39-4871-861d-51dea2e09ece",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120402Z",
"modified": "2025-04-21T14:20:07.120402Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--761e9d7d-ec5e-4b7f-a0e9-c04b0bc43b3e",
"target_ref": "vulnerability--9b8652e5-3547-43ee-bb74-ca998b2d747c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f0976055-8138-4e2b-96d5-f73a0c7f1e5e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120472Z",
"modified": "2025-04-21T14:20:07.120472Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--761e9d7d-ec5e-4b7f-a0e9-c04b0bc43b3e",
"target_ref": "vulnerability--45d8f340-f19f-4af0-852c-a0eec57f82f5",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5f10298f-81a0-48fe-8d82-d9fe94bf7a7e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120542Z",
"modified": "2025-04-21T14:20:07.120542Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--62b56d8a-254e-4efe-9e09-0a2e524a58e2",
"target_ref": "vulnerability--3b108539-3924-4f24-94bd-aec5f03d3551",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--16cd8072-5193-4192-a5b5-4eb5de546975",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120613Z",
"modified": "2025-04-21T14:20:07.120613Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--62b56d8a-254e-4efe-9e09-0a2e524a58e2",
"target_ref": "vulnerability--dd1c369e-1979-479e-9006-be3e0b1a2557",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d49a142b-c584-4303-9f62-9da5f250c6ff",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120688Z",
"modified": "2025-04-21T14:20:07.120688Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--50ae3284-16da-4218-abe7-b88c05519927",
"target_ref": "vulnerability--3b108539-3924-4f24-94bd-aec5f03d3551",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--aaaaaf72-1213-4c56-99d7-8a2106ca7a76",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120763Z",
"modified": "2025-04-21T14:20:07.120763Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--50ae3284-16da-4218-abe7-b88c05519927",
"target_ref": "vulnerability--dd1c369e-1979-479e-9006-be3e0b1a2557",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--66024acd-ef08-4d6b-b218-a473925e5601",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120835Z",
"modified": "2025-04-21T14:20:07.120835Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--50ae3284-16da-4218-abe7-b88c05519927",
"target_ref": "vulnerability--d0ee8c9b-3b69-450d-897c-f1cb463bcb47",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a4ff298c-2c66-4973-a239-057f9885e936",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120906Z",
"modified": "2025-04-21T14:20:07.120906Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--50ae3284-16da-4218-abe7-b88c05519927",
"target_ref": "vulnerability--02b33020-2f00-4eb7-8323-2281d41275fc",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0a9c17c1-cf2c-4e9d-80a2-207a3681a9fd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.120977Z",
"modified": "2025-04-21T14:20:07.120977Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--50ae3284-16da-4218-abe7-b88c05519927",
"target_ref": "vulnerability--13394383-1d88-4ee4-b2b9-0f26fc03a657",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--415f3aef-5367-4da4-a915-b9b2106d2887",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121048Z",
"modified": "2025-04-21T14:20:07.121048Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--44eff409-d7aa-44ad-9f4d-8108a7fa5268",
"target_ref": "vulnerability--66d49313-3f95-416c-a171-438ec0479c89",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4b0c96cf-ebda-40ca-87d7-98819e0f08eb",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121118Z",
"modified": "2025-04-21T14:20:07.121118Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--df49e510-a684-4eeb-b5cc-a3ac007eb773",
"target_ref": "vulnerability--183bbc5d-1096-4f2c-a3b8-7675b0e46704",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--320653b3-380a-46b8-a3fe-e5bc808b757c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121188Z",
"modified": "2025-04-21T14:20:07.121188Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--90dff286-f6c8-47ef-b903-2291a2d84656",
"target_ref": "vulnerability--183bbc5d-1096-4f2c-a3b8-7675b0e46704",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--68a39f8f-0de5-4317-8856-39599afff81d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121259Z",
"modified": "2025-04-21T14:20:07.121259Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ec3590f3-458b-4049-847c-87dbfd9fc43f",
"target_ref": "vulnerability--74aea73e-457e-454c-ace6-a6cbe3f4d6e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--842632b7-d7f7-4242-98d2-66b3f777dcbd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121334Z",
"modified": "2025-04-21T14:20:07.121334Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--ec3590f3-458b-4049-847c-87dbfd9fc43f",
"target_ref": "vulnerability--79090b18-13bd-4900-bcad-a3ca29c6f4f6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0cf6c2d6-7218-4773-86ba-fece8e211fa0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121405Z",
"modified": "2025-04-21T14:20:07.121405Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--26f07105-06e7-4052-90a3-f9bf0f185901",
"target_ref": "vulnerability--74aea73e-457e-454c-ace6-a6cbe3f4d6e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c05cef7b-d09d-4ae1-ac8a-55eb4a6d340f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121476Z",
"modified": "2025-04-21T14:20:07.121476Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--26f07105-06e7-4052-90a3-f9bf0f185901",
"target_ref": "vulnerability--780462ac-898a-4479-819a-9fba9dde8393",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d0bfa50b-7de9-47d8-9823-c08229f5eb93",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12155Z",
"modified": "2025-04-21T14:20:07.12155Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--26f07105-06e7-4052-90a3-f9bf0f185901",
"target_ref": "vulnerability--26ed7806-6ca2-4983-8ae3-0586fbfb6c62",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--311b42ef-bf06-4069-95e0-252576454e44",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121621Z",
"modified": "2025-04-21T14:20:07.121621Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--26f07105-06e7-4052-90a3-f9bf0f185901",
"target_ref": "vulnerability--0816e8cd-840c-41d3-8b0b-fe20b2e68db1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b9276d14-eb3f-46f9-9910-f161bc09cca9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121697Z",
"modified": "2025-04-21T14:20:07.121697Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--26f07105-06e7-4052-90a3-f9bf0f185901",
"target_ref": "vulnerability--68ec2b84-ef87-4ee8-b14f-27310bd96240",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--17c95214-47dc-4616-b215-2e8294a63c41",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121767Z",
"modified": "2025-04-21T14:20:07.121767Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2a56c9aa-78ae-4ac3-a7d0-bbd8e15eb4cc",
"target_ref": "vulnerability--183bbc5d-1096-4f2c-a3b8-7675b0e46704",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7373b319-f501-4b1d-8e4e-7cb6dc277acc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121842Z",
"modified": "2025-04-21T14:20:07.121842Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--2a56c9aa-78ae-4ac3-a7d0-bbd8e15eb4cc",
"target_ref": "vulnerability--0816e8cd-840c-41d3-8b0b-fe20b2e68db1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e2b12225-938a-429b-8d33-4ba934de9182",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121913Z",
"modified": "2025-04-21T14:20:07.121913Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8ad008f0-2eb3-4fd7-b57a-4c17711a1bca",
"target_ref": "vulnerability--0816e8cd-840c-41d3-8b0b-fe20b2e68db1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--056abef6-7208-4754-8dc0-2ff7e1d65272",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.121984Z",
"modified": "2025-04-21T14:20:07.121984Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--af9c27a6-fe3d-42ba-acdc-807d835c9faa",
"target_ref": "vulnerability--e23294f5-0a97-4a7d-aab9-f448f713867a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--34cd9048-6ad0-4df1-ac30-a17958ff94c9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122055Z",
"modified": "2025-04-21T14:20:07.122055Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--6d9ac66a-027d-4d7e-8f2f-1480bc510d12",
"target_ref": "vulnerability--a350ee85-3253-41d4-82aa-f014100805ec",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9d2cbf2e-b76d-400d-ade1-c558aa1f08c9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122126Z",
"modified": "2025-04-21T14:20:07.122126Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1cd9b54f-7675-4991-b15a-5510d3be219a",
"target_ref": "vulnerability--780462ac-898a-4479-819a-9fba9dde8393",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--00ea15a3-1cd2-4b07-a108-c40b14bb93bc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122196Z",
"modified": "2025-04-21T14:20:07.122196Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--1cd9b54f-7675-4991-b15a-5510d3be219a",
"target_ref": "vulnerability--3a61ad59-4b69-4d43-b73d-582af56b5d76",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f2764354-8831-44e4-8873-48e51a4d479a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122268Z",
"modified": "2025-04-21T14:20:07.122268Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--fcbe13dc-f184-4cdb-b5d8-79bc947f6ee4",
"target_ref": "vulnerability--7db512d9-bbe1-4d46-a0fe-6cbeb7050f2f",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--44f24cb1-c168-4cc8-b4ee-8ed080e35de9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122338Z",
"modified": "2025-04-21T14:20:07.122338Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f2d5d36d-8079-457f-a4bb-00f507008b1a",
"target_ref": "vulnerability--f04ee0a2-161f-42dd-a886-0f7cb99cb61a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--93b5e4f7-29de-4555-9059-15033f49b6d9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122409Z",
"modified": "2025-04-21T14:20:07.122409Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--879f5405-8ccd-48ce-aeda-c3cfa07de206",
"target_ref": "vulnerability--8b6a20c9-ae6e-4bae-9ae7-7486986a3fd0",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7a9728d0-8421-4efd-a88f-58f24f862190",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12248Z",
"modified": "2025-04-21T14:20:07.12248Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--16dac18c-20e3-44d8-adbf-66f24c780ebc",
"target_ref": "vulnerability--8b0a83f2-9988-48a7-be05-b6e17d77d19e",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--747c45b8-ab3b-4b0f-8d17-939963847a75",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122551Z",
"modified": "2025-04-21T14:20:07.122551Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--343136e8-66cd-4001-b3b7-a73eecced1d5",
"target_ref": "vulnerability--79e6a926-00d3-4da4-ba37-f23ac4c28b69",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--782155d8-f16d-47e7-8f12-54dce82b13b4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122621Z",
"modified": "2025-04-21T14:20:07.122621Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--0ecdf4fc-d494-4c1b-8877-ac0e823ce6e4",
"target_ref": "vulnerability--f5715798-c7aa-4d82-805a-1ad6308a5983",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7e1b2191-7c65-466d-b243-ed02c4820b4d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122693Z",
"modified": "2025-04-21T14:20:07.122693Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--c3ed4132-c26d-4812-b526-43ca91e50a05",
"target_ref": "vulnerability--b5e980ce-bb43-43ec-802c-25907e355e99",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--da5a5b9a-dea0-448b-b5e6-2cd2186d3393",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122764Z",
"modified": "2025-04-21T14:20:07.122764Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--9ab5eb97-9b19-4a53-af75-99a637920000",
"target_ref": "vulnerability--d48175e7-c5bd-47ff-9fe0-35cd6d54fe9c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--22eb73f4-cb4e-4db0-b360-aa109a397074",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122835Z",
"modified": "2025-04-21T14:20:07.122835Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--64e0ee28-6847-4551-b215-39da960ca68c",
"target_ref": "vulnerability--74b33ffa-a184-4f82-9ba6-1c9e36a48d0a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9000a237-7051-455f-a795-c893530bfc7d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122905Z",
"modified": "2025-04-21T14:20:07.122905Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--da62947b-f3ad-40b9-9e97-57798fb4c3d3",
"target_ref": "vulnerability--f7fb3293-88cf-4896-bbff-bc1e04a17a48",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6dfbccfa-36be-4de8-b3b7-b7454d4eece5",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.122976Z",
"modified": "2025-04-21T14:20:07.122976Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8796a481-334e-43c0-b3fe-412c5f6f19f1",
"target_ref": "vulnerability--20e1c1fe-e1de-4a80-a22e-3184f9484736",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4fd197c4-86d2-4efa-a37a-99c39ac2035b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123046Z",
"modified": "2025-04-21T14:20:07.123046Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8796a481-334e-43c0-b3fe-412c5f6f19f1",
"target_ref": "vulnerability--0a7390e5-fb6a-4f05-84dd-1cce5466d1de",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--efd519af-49e1-4ff1-88d7-95af364882c6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123123Z",
"modified": "2025-04-21T14:20:07.123123Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--5dd947ea-3405-4e37-9ec3-449c9e004be0",
"target_ref": "vulnerability--7da95ae6-55cf-4cdc-ae5a-da0f86688cfb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0cf27792-9045-49fd-b62c-2539e8f011e0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123194Z",
"modified": "2025-04-21T14:20:07.123194Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--83cb878c-dbdd-44c8-90f0-dda87adfaa16",
"target_ref": "vulnerability--d15cb2c2-6c8d-4864-8813-21ccab54ede2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2f5af13e-d22f-4cd8-ab44-c19c8a58da7d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123265Z",
"modified": "2025-04-21T14:20:07.123265Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--13021d0e-8cb2-4d94-8f97-c3e8ff2437d3",
"target_ref": "vulnerability--68a9740e-95d8-4973-aaaa-e656542eac98",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--082f9de2-8ad5-4fef-8667-2e6154818a4e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123336Z",
"modified": "2025-04-21T14:20:07.123336Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--f98ba543-b89b-4533-b4bd-6bda268cc1ea",
"target_ref": "vulnerability--4611b574-efed-4237-81a4-d9e238fb1ef4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--386a391e-f391-4a56-bd63-43f2a4469f51",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12341Z",
"modified": "2025-04-21T14:20:07.12341Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--5b76f672-de71-4c9c-9d13-b8a7ae4d6b20",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--49bfd9fc-71cf-48ad-90a3-cf2fd77a8516",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123482Z",
"modified": "2025-04-21T14:20:07.123482Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--5b76f672-de71-4c9c-9d13-b8a7ae4d6b20",
"target_ref": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3a5e017c-d81a-463f-b1e1-540a5b05fa3a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123552Z",
"modified": "2025-04-21T14:20:07.123552Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--5b76f672-de71-4c9c-9d13-b8a7ae4d6b20",
"target_ref": "vulnerability--b45b01bc-d3ea-42c7-b4c7-9e37f87e86b4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--af072162-90b2-4f4c-9683-065ca4329edd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123623Z",
"modified": "2025-04-21T14:20:07.123623Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--5b76f672-de71-4c9c-9d13-b8a7ae4d6b20",
"target_ref": "vulnerability--55121d60-3cc2-409b-9168-7e855dbc7404",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8674bc4c-ba0d-46c8-a841-3e93f15fd119",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123693Z",
"modified": "2025-04-21T14:20:07.123693Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b83d4f63-c6d8-4482-be54-9ce8d77c7168",
"target_ref": "vulnerability--93670d27-5d0c-41d2-89c2-5c9b1b8dce72",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--947b91be-e184-43b2-b2a9-5c628a4d3f21",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123764Z",
"modified": "2025-04-21T14:20:07.123764Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b83d4f63-c6d8-4482-be54-9ce8d77c7168",
"target_ref": "vulnerability--2f38fbfc-0a74-4657-a28d-b6c24e4dc2ee",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--eb6702f4-38c6-4bb6-a801-feedf63a9bd2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123841Z",
"modified": "2025-04-21T14:20:07.123841Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--b83d4f63-c6d8-4482-be54-9ce8d77c7168",
"target_ref": "vulnerability--b45b01bc-d3ea-42c7-b4c7-9e37f87e86b4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--36483d9a-0494-4141-910c-0b6f1bf29646",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123913Z",
"modified": "2025-04-21T14:20:07.123913Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--963b5636-3c18-4653-8866-012a1bbfe6e3",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--147c840e-e1d4-42d0-b37f-a1e0a42312af",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.123984Z",
"modified": "2025-04-21T14:20:07.123984Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--963b5636-3c18-4653-8866-012a1bbfe6e3",
"target_ref": "vulnerability--7d38e8f0-09a8-45f2-afbe-62fb6d20a1f3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--69a6dd9a-5df2-48d0-a6f6-084267a52899",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.124054Z",
"modified": "2025-04-21T14:20:07.124054Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--963b5636-3c18-4653-8866-012a1bbfe6e3",
"target_ref": "vulnerability--b5e980ce-bb43-43ec-802c-25907e355e99",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1d9b28df-91b3-43f9-80d3-d50653a31f4f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.124493Z",
"modified": "2025-04-21T14:20:07.124493Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--963b5636-3c18-4653-8866-012a1bbfe6e3",
"target_ref": "vulnerability--f099f3a2-1727-4d77-8af8-59143592e245",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--51f1a010-4a14-4769-8295-713c946f3437",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.124574Z",
"modified": "2025-04-21T14:20:07.124574Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--963b5636-3c18-4653-8866-012a1bbfe6e3",
"target_ref": "vulnerability--f7fb3293-88cf-4896-bbff-bc1e04a17a48",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--21980849-7f57-4991-9d7e-1c6544bda750",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.124647Z",
"modified": "2025-04-21T14:20:07.124647Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eb00fda7-b38d-47c8-ae7c-08e6fbb7d27b",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--55369741-b1c5-4bf2-b198-98920d2860af",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.124719Z",
"modified": "2025-04-21T14:20:07.124719Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eb00fda7-b38d-47c8-ae7c-08e6fbb7d27b",
"target_ref": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2ef0a0e0-e977-4c45-a84e-fb14a0f03e2f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12479Z",
"modified": "2025-04-21T14:20:07.12479Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eb00fda7-b38d-47c8-ae7c-08e6fbb7d27b",
"target_ref": "vulnerability--9f65791a-cb28-4dde-b903-3885e40d8f64",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--11d31e02-d14b-441b-b2b2-514ebc386685",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.124862Z",
"modified": "2025-04-21T14:20:07.124862Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eb00fda7-b38d-47c8-ae7c-08e6fbb7d27b",
"target_ref": "vulnerability--b5e980ce-bb43-43ec-802c-25907e355e99",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9fe948cf-68df-45bd-bd76-d86772e9545a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.124939Z",
"modified": "2025-04-21T14:20:07.124939Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eb00fda7-b38d-47c8-ae7c-08e6fbb7d27b",
"target_ref": "vulnerability--f099f3a2-1727-4d77-8af8-59143592e245",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--945beb73-6635-49ff-bb3a-2a397b97c479",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125011Z",
"modified": "2025-04-21T14:20:07.125011Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--eb00fda7-b38d-47c8-ae7c-08e6fbb7d27b",
"target_ref": "vulnerability--f7fb3293-88cf-4896-bbff-bc1e04a17a48",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c606a8c7-6125-444a-a060-9eed02255e30",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125083Z",
"modified": "2025-04-21T14:20:07.125083Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--3adb4c93-94f3-4225-8143-e9f1662e9890",
"target_ref": "vulnerability--3b108539-3924-4f24-94bd-aec5f03d3551",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ed4f5112-a373-4104-a844-7e9b03684d4b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125157Z",
"modified": "2025-04-21T14:20:07.125157Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--3adb4c93-94f3-4225-8143-e9f1662e9890",
"target_ref": "vulnerability--dd1c369e-1979-479e-9006-be3e0b1a2557",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5689d5b9-ef2f-48d5-85b0-d78bfc6a3a0f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125228Z",
"modified": "2025-04-21T14:20:07.125228Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--3adb4c93-94f3-4225-8143-e9f1662e9890",
"target_ref": "vulnerability--66d49313-3f95-416c-a171-438ec0479c89",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5338e54c-3d00-453f-9176-cd604b934cf7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125303Z",
"modified": "2025-04-21T14:20:07.125303Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--3adb4c93-94f3-4225-8143-e9f1662e9890",
"target_ref": "vulnerability--183bbc5d-1096-4f2c-a3b8-7675b0e46704",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e3d0bc4e-57d5-43e0-9d7f-8060d0049be2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125376Z",
"modified": "2025-04-21T14:20:07.125376Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--137cfbd1-5448-4004-80e4-c91d64b6908d",
"target_ref": "vulnerability--74aea73e-457e-454c-ace6-a6cbe3f4d6e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0bc41f8c-3399-4f00-beaf-aae2b332fbcc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125448Z",
"modified": "2025-04-21T14:20:07.125448Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--7ba10f14-1478-415b-92b5-48ee38b343ef",
"target_ref": "vulnerability--780462ac-898a-4479-819a-9fba9dde8393",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a05f033c-6064-4fce-9544-3c464ec1f071",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125523Z",
"modified": "2025-04-21T14:20:07.125523Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--bc01054b-a804-48bd-bb5a-52d5c9134a4f",
"target_ref": "vulnerability--79090b18-13bd-4900-bcad-a3ca29c6f4f6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d829753d-d156-401a-9ee1-c3104fbbbec7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125594Z",
"modified": "2025-04-21T14:20:07.125594Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--3639c98e-9721-47b2-b13f-1ab86857b825",
"target_ref": "vulnerability--26ed7806-6ca2-4983-8ae3-0586fbfb6c62",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--51aa8f70-6900-41a6-bd99-95a9f4c73884",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125664Z",
"modified": "2025-04-21T14:20:07.125664Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--7b5204f1-e1e5-48b6-be43-5d38cc64c276",
"target_ref": "vulnerability--0816e8cd-840c-41d3-8b0b-fe20b2e68db1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e1d529a4-d070-4f06-9c22-b72c73513c35",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125735Z",
"modified": "2025-04-21T14:20:07.125735Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--f85a5f48-65c1-46a6-9f5c-9d9349b0f4b6",
"target_ref": "vulnerability--3a61ad59-4b69-4d43-b73d-582af56b5d76",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7e14371c-44cf-4510-9f54-a52f2bd98bb1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125807Z",
"modified": "2025-04-21T14:20:07.125807Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--f85a5f48-65c1-46a6-9f5c-9d9349b0f4b6",
"target_ref": "vulnerability--e23294f5-0a97-4a7d-aab9-f448f713867a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--93bcaf1b-b6ad-4d7b-96b6-7005ee3e3313",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125883Z",
"modified": "2025-04-21T14:20:07.125883Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--b8abad02-1595-4988-ac53-c8c8074b3491",
"target_ref": "vulnerability--a544b3fd-4edc-4fee-809f-2660d7628cdd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6cf9afcb-076f-4bec-b01a-6eb36bb4f301",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.125958Z",
"modified": "2025-04-21T14:20:07.125958Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--b8abad02-1595-4988-ac53-c8c8074b3491",
"target_ref": "vulnerability--a350ee85-3253-41d4-82aa-f014100805ec",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bfc727c0-7e44-4b3f-89fb-eae875dd95f0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126029Z",
"modified": "2025-04-21T14:20:07.126029Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--d83557da-438c-42e1-818e-f17c40749e71",
"target_ref": "vulnerability--9b8652e5-3547-43ee-bb74-ca998b2d747c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--48f90a74-84f4-4a4a-8727-7819bc2d3ee2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126101Z",
"modified": "2025-04-21T14:20:07.126101Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--d83557da-438c-42e1-818e-f17c40749e71",
"target_ref": "vulnerability--b8e18644-b25e-4294-ae02-44bf44cfeaab",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a809974c-50ab-4abd-aade-2dd160344603",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126192Z",
"modified": "2025-04-21T14:20:07.126192Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--d83557da-438c-42e1-818e-f17c40749e71",
"target_ref": "vulnerability--45d8f340-f19f-4af0-852c-a0eec57f82f5",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ec11c675-001c-4baa-a164-9a3ef543514d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126267Z",
"modified": "2025-04-21T14:20:07.126267Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--917b0744-5525-4770-b5d1-4a2b4beef091",
"target_ref": "vulnerability--03c1db93-d257-45c7-a37d-1342f1247fc3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3a3850da-a607-4cce-9070-2aa0bc0c922a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126338Z",
"modified": "2025-04-21T14:20:07.126338Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--10cde7df-03e8-4b4a-af42-b54ce7d83306",
"target_ref": "vulnerability--4e9d683d-1400-46c3-9cb5-20cf0c3757c6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e8ae4cb7-7845-40c7-a7c0-209ef1641413",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126415Z",
"modified": "2025-04-21T14:20:07.126415Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--19829b9d-aef5-413b-a417-00a4be77b853",
"target_ref": "vulnerability--6f15fa94-38c1-4716-8958-c75e6194c0bf",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7ec0b3e9-c783-4f78-b961-97d1a356024b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126486Z",
"modified": "2025-04-21T14:20:07.126486Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--19829b9d-aef5-413b-a417-00a4be77b853",
"target_ref": "vulnerability--ed320462-9747-416e-a3f5-109ebe7ce514",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--49e5eaa4-6d78-46fd-be92-10beb8476888",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126556Z",
"modified": "2025-04-21T14:20:07.126556Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--815ca225-8476-4fad-b768-e34a9e4f58cc",
"target_ref": "vulnerability--81176525-91d8-4bab-b2c4-0ca288782af9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8f6a978a-f7c7-4104-9e31-9c8e146d740c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126627Z",
"modified": "2025-04-21T14:20:07.126627Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--a9e8e3a2-9fbe-43d3-8ced-39226f4e1e0b",
"target_ref": "vulnerability--93670d27-5d0c-41d2-89c2-5c9b1b8dce72",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--93fd20b7-6af5-4ef4-b2f4-8a6088338aba",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126697Z",
"modified": "2025-04-21T14:20:07.126697Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--fa1c0391-b2a7-4620-8447-46cf966e45a1",
"target_ref": "vulnerability--14a43189-d196-416d-873f-5c9c68d33d46",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b8f94095-efe3-4e0f-98dd-b9cfefeb8b1e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126768Z",
"modified": "2025-04-21T14:20:07.126768Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--fa1c0391-b2a7-4620-8447-46cf966e45a1",
"target_ref": "vulnerability--b45b01bc-d3ea-42c7-b4c7-9e37f87e86b4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7a23cb6a-4e64-48af-b64c-5265078a33be",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12684Z",
"modified": "2025-04-21T14:20:07.12684Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--accec923-0fd1-47f4-ab96-edb3c09eb98f",
"target_ref": "vulnerability--d593e53d-6046-452c-b876-917f0b0b42ca",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ff33d41f-ed65-4356-b9d9-b8109ca09579",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126913Z",
"modified": "2025-04-21T14:20:07.126913Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--accec923-0fd1-47f4-ab96-edb3c09eb98f",
"target_ref": "vulnerability--68ec2b84-ef87-4ee8-b14f-27310bd96240",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--97fdf460-5210-4045-85a7-1ecaff6df75b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.126985Z",
"modified": "2025-04-21T14:20:07.126985Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--413aeec9-69ab-4a48-ac7c-1379163bb504",
"target_ref": "vulnerability--f3280b96-b050-42e6-adb9-341ea73a2fe6",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--79889bcf-06e7-432a-b9ad-680f3eb5f18c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127055Z",
"modified": "2025-04-21T14:20:07.127055Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--aff6155a-d857-4442-980b-8826d15e7023",
"target_ref": "vulnerability--2f38fbfc-0a74-4657-a28d-b6c24e4dc2ee",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2ff4aa55-c35d-4d23-af32-78080e8d79be",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127126Z",
"modified": "2025-04-21T14:20:07.127126Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--aff6155a-d857-4442-980b-8826d15e7023",
"target_ref": "vulnerability--63a42cdd-ab9d-4c2b-b5c0-d7205a94723c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--70f4890c-4006-45e7-87c0-e729ae4f1e26",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127197Z",
"modified": "2025-04-21T14:20:07.127197Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--71750a72-94b6-47f4-963b-1ecd0a3516ce",
"target_ref": "vulnerability--02b33020-2f00-4eb7-8323-2281d41275fc",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--92ab97ea-a6af-461c-9fa3-d4c11cad05d6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127271Z",
"modified": "2025-04-21T14:20:07.127271Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--21f48c54-8b40-4d82-9e08-cef9018b9134",
"target_ref": "vulnerability--fe64d2c0-6201-4ccb-8ddc-35964d9b2200",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--017dbe8f-1ebb-48e7-9e13-b646bba6abf6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12735Z",
"modified": "2025-04-21T14:20:07.12735Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--465d36ea-0218-4b90-9656-8da8e57e2472",
"target_ref": "vulnerability--be1dae3a-4d6d-4842-9de6-cf5d217f0370",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3661f5aa-ca15-45e3-98b1-62e32b32c315",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127423Z",
"modified": "2025-04-21T14:20:07.127423Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ba633348-d58e-45b6-82c8-9a78e2469777",
"target_ref": "vulnerability--2ef9b3dd-19aa-40b0-9c4c-e2a4aef35b85",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--174bb788-32dc-403a-935b-843a54e91181",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127496Z",
"modified": "2025-04-21T14:20:07.127496Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--2c01a6aa-7cdf-486d-af99-900294a4fe8b",
"target_ref": "vulnerability--02b33020-2f00-4eb7-8323-2281d41275fc",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9d690bc0-50ef-4026-bc3a-c2bac3ccb784",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127567Z",
"modified": "2025-04-21T14:20:07.127567Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--2c01a6aa-7cdf-486d-af99-900294a4fe8b",
"target_ref": "vulnerability--1d285166-3508-48ca-a8c6-05f1117faa03",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fbacb978-6992-4e82-9ad2-81d0a9d65d80",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127638Z",
"modified": "2025-04-21T14:20:07.127638Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--b5a35dc5-8153-4b33-a438-2274784af902",
"target_ref": "vulnerability--435d3f7c-68fe-4c67-b952-61d5713dad36",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1f0dfd88-5e66-4804-8eea-684fe04e4d28",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127709Z",
"modified": "2025-04-21T14:20:07.127709Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--20883961-33b9-4114-99f9-e2f3ec449708",
"target_ref": "vulnerability--99b03309-3996-4e49-9500-1ed7a700d9cd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f9b0c7d0-7586-494d-b33b-7ad593ad5e3c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127779Z",
"modified": "2025-04-21T14:20:07.127779Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ad05046b-119d-4b4a-b0d2-079019124339",
"target_ref": "vulnerability--502fd094-4e5d-4cf5-a644-e224bd9f469b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--16a1b97c-948e-4f2a-b447-f25e1f2c47f7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127855Z",
"modified": "2025-04-21T14:20:07.127855Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--5476bc8c-82ae-422e-939d-32d5f039eeb1",
"target_ref": "vulnerability--e62bc4f1-d5c4-4714-b529-e1fc78f2991d",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dde7ce3c-f1fd-4c36-9b3e-3072970363f2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.127926Z",
"modified": "2025-04-21T14:20:07.127926Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--02e48419-b367-4882-bf01-23eb88acc335",
"target_ref": "vulnerability--2f72b508-1ab5-4ae3-a3f2-63ff5e1e4a56",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fb93cc83-a620-4d09-9ca5-631cdc0a4410",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128Z",
"modified": "2025-04-21T14:20:07.128Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--db6d37e5-9918-45f1-9328-f1ef45565f31",
"target_ref": "vulnerability--4611b574-efed-4237-81a4-d9e238fb1ef4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--429f3e76-1722-4a5b-8449-0dfe6863a113",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12807Z",
"modified": "2025-04-21T14:20:07.12807Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--db6d37e5-9918-45f1-9328-f1ef45565f31",
"target_ref": "vulnerability--68a9740e-95d8-4973-aaaa-e656542eac98",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b3ae6bfb-6c65-46f2-bc2a-dd223d8263c8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128141Z",
"modified": "2025-04-21T14:20:07.128141Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--084f8146-e126-46a7-9dc3-b01fd6f45118",
"target_ref": "vulnerability--635d9915-c996-4044-ad11-1ce3eaec8a1c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--16c56cb3-6775-43e1-b8c8-da3d93124e5b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128212Z",
"modified": "2025-04-21T14:20:07.128212Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "vulnerability--7db512d9-bbe1-4d46-a0fe-6cbeb7050f2f",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ba0d3e58-e65d-44cc-ba42-60ac7598484b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128285Z",
"modified": "2025-04-21T14:20:07.128285Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "vulnerability--f04ee0a2-161f-42dd-a886-0f7cb99cb61a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2688f7b2-ea18-49ca-905f-6d157d304d7d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128355Z",
"modified": "2025-04-21T14:20:07.128355Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "vulnerability--8b6a20c9-ae6e-4bae-9ae7-7486986a3fd0",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--371accd7-b586-4d7d-86f2-33ca0c660b53",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128426Z",
"modified": "2025-04-21T14:20:07.128426Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "vulnerability--8b0a83f2-9988-48a7-be05-b6e17d77d19e",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--332d7854-b7c7-437a-aa8e-371479d68cf0",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12851Z",
"modified": "2025-04-21T14:20:07.12851Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "vulnerability--79e6a926-00d3-4da4-ba37-f23ac4c28b69",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--24e6dcbf-e1ae-4019-af92-ec712772b4ef",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128581Z",
"modified": "2025-04-21T14:20:07.128581Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "vulnerability--f5715798-c7aa-4d82-805a-1ad6308a5983",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5f7d5a58-c290-4215-8e2e-1b96e37252bc",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128652Z",
"modified": "2025-04-21T14:20:07.128652Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "vulnerability--d48175e7-c5bd-47ff-9fe0-35cd6d54fe9c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--94a80d58-4e4e-47fb-b2cc-77e165247f53",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128729Z",
"modified": "2025-04-21T14:20:07.128729Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--41b86b81-99c8-438c-8e3d-aea2df315048",
"target_ref": "vulnerability--b5e980ce-bb43-43ec-802c-25907e355e99",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8f49ffdd-5403-4694-8c55-e78026fd3d7b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128807Z",
"modified": "2025-04-21T14:20:07.128807Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--102fb091-49d4-49f7-907a-164c9518504d",
"target_ref": "vulnerability--55121d60-3cc2-409b-9168-7e855dbc7404",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--11f0be08-615d-471d-870e-c7d71b263755",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128882Z",
"modified": "2025-04-21T14:20:07.128882Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--7c36ce58-fc74-491c-9d87-64d46c93dedb",
"target_ref": "vulnerability--220d9a30-c0cd-43cc-badb-98e3573cd00a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ca400693-6679-4dff-9233-f070d0a6ebcb",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.128958Z",
"modified": "2025-04-21T14:20:07.128958Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--165dfa3a-8f68-4f14-bbeb-a7e7077b7532",
"target_ref": "vulnerability--4d11522b-19e6-4989-aad4-bce1378ad2ad",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--43fd1a4b-3f02-4352-81b6-67d7e973406c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129029Z",
"modified": "2025-04-21T14:20:07.129029Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--6873f6c6-609a-468f-a9d5-76a0bd106930",
"target_ref": "vulnerability--b9173a9d-33b0-4cba-a638-450a681ff028",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1ef31e6a-3f91-41ca-ace9-81883729498a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.1291Z",
"modified": "2025-04-21T14:20:07.1291Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--2ff2030f-ac28-4a68-8367-9e8429d7ca62",
"target_ref": "vulnerability--bd5fb5e9-71b7-4817-acc7-349303f95aed",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--bcacc665-7730-4e7e-8a11-41a337951f5b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.12917Z",
"modified": "2025-04-21T14:20:07.12917Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--84b99f68-0464-4bdb-9618-8f5d5ee8218d",
"target_ref": "vulnerability--9f65791a-cb28-4dde-b903-3885e40d8f64",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4ca093ee-76c2-466c-bbf5-bdf97712d03b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129242Z",
"modified": "2025-04-21T14:20:07.129242Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--c485cdcf-061d-4959-bd84-b5e917755121",
"target_ref": "vulnerability--c98bbe9f-e478-40d5-b585-cc1bc83c8105",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2c781bcd-88d8-4372-bf5c-08843dd57f55",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129318Z",
"modified": "2025-04-21T14:20:07.129318Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--c485cdcf-061d-4959-bd84-b5e917755121",
"target_ref": "vulnerability--1f94d3f8-d111-463e-afe3-1779ea76b7dd",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e135d4b5-95f0-4144-b83a-364f0bbda451",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129388Z",
"modified": "2025-04-21T14:20:07.129388Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--c485cdcf-061d-4959-bd84-b5e917755121",
"target_ref": "vulnerability--7d38e8f0-09a8-45f2-afbe-62fb6d20a1f3",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c588bf0a-3da9-4d23-a7a7-12b014388e34",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129459Z",
"modified": "2025-04-21T14:20:07.129459Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--2977754e-3e27-4961-9e81-0e4dec4a5dda",
"target_ref": "vulnerability--6317d395-281c-4677-b1a3-33e588cde84a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f09b64d1-4cb2-431b-a9f1-3021a8e9273f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129534Z",
"modified": "2025-04-21T14:20:07.129534Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"target_ref": "vulnerability--e5f90347-e6a0-412e-ab54-18aa1185ef09",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8a71c6c6-46f4-49fd-b043-38008d8dd372",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129604Z",
"modified": "2025-04-21T14:20:07.129604Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"target_ref": "vulnerability--85204183-21e8-44d9-bd71-a7928eb8736f",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a87a6046-52af-4a9b-b92f-9d18ca7e92f9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129675Z",
"modified": "2025-04-21T14:20:07.129675Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"target_ref": "vulnerability--aa091fdb-adaa-4e89-a8c3-c40784fb73a1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a9c5b3ed-c2e1-4336-a4e9-435a9622de33",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129745Z",
"modified": "2025-04-21T14:20:07.129745Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"target_ref": "vulnerability--dda83adc-ea39-4e82-92e8-5022dff4d58a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6aea3ef0-fa3b-4440-b9a7-8dcc8cd93575",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129816Z",
"modified": "2025-04-21T14:20:07.129816Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--5af30150-0e78-40d0-b8f3-7b0f593e02ad",
"target_ref": "vulnerability--825299f4-1bab-4682-82ba-450bfb7641d1",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9f06585e-86a3-458c-8355-851fca89c657",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129886Z",
"modified": "2025-04-21T14:20:07.129886Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--5af30150-0e78-40d0-b8f3-7b0f593e02ad",
"target_ref": "vulnerability--9ee0cfb0-5e71-47be-8576-de8802eb6b7e",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f99ef594-288c-4c67-b5d0-61d0a41dac67",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.129956Z",
"modified": "2025-04-21T14:20:07.129956Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--5af30150-0e78-40d0-b8f3-7b0f593e02ad",
"target_ref": "vulnerability--9367d60b-3ef6-4d2a-8da3-71ffd9ea2418",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b1cc5200-cc43-46f4-9bd3-1e3d6ea8277f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130052Z",
"modified": "2025-04-21T14:20:07.130052Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--8ee39f7b-bcd8-40c4-b51c-8d76b1d06fcc",
"target_ref": "vulnerability--6f00418f-9859-4fce-966f-ffa7a4913525",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8f740690-bacb-4e3e-b5c7-5fcce930dd38",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130125Z",
"modified": "2025-04-21T14:20:07.130125Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--8ee39f7b-bcd8-40c4-b51c-8d76b1d06fcc",
"target_ref": "vulnerability--13394383-1d88-4ee4-b2b9-0f26fc03a657",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7f459216-8f4d-45d0-abe8-e66b6f5221e3",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130196Z",
"modified": "2025-04-21T14:20:07.130196Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--8ee39f7b-bcd8-40c4-b51c-8d76b1d06fcc",
"target_ref": "vulnerability--d0ee8c9b-3b69-450d-897c-f1cb463bcb47",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2dfba47e-61c6-4cf7-8f6c-c3dd0bab3968",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130266Z",
"modified": "2025-04-21T14:20:07.130266Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--8ee39f7b-bcd8-40c4-b51c-8d76b1d06fcc",
"target_ref": "vulnerability--1d285166-3508-48ca-a8c6-05f1117faa03",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--569287c6-7067-445c-8831-e4b1c68ff2a2",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130337Z",
"modified": "2025-04-21T14:20:07.130337Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--8ee39f7b-bcd8-40c4-b51c-8d76b1d06fcc",
"target_ref": "vulnerability--7da95ae6-55cf-4cdc-ae5a-da0f86688cfb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fe1ec3c9-a4ee-42bd-9773-8282ad72162c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130414Z",
"modified": "2025-04-21T14:20:07.130414Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--bf4c9847-ef34-4382-8def-3ec5273ae5de",
"target_ref": "vulnerability--4611b574-efed-4237-81a4-d9e238fb1ef4",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e38ae8c9-3d95-4cfb-84cd-6622d38e5858",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130484Z",
"modified": "2025-04-21T14:20:07.130484Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--bf4c9847-ef34-4382-8def-3ec5273ae5de",
"target_ref": "vulnerability--68a9740e-95d8-4973-aaaa-e656542eac98",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--19f98f2a-3981-4c36-a25d-8cb6af596107",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130555Z",
"modified": "2025-04-21T14:20:07.130555Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"target_ref": "vulnerability--643c0c24-0b99-4dc4-9de2-b6d5a30334d9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a92e6602-1dcf-4588-9666-cc7f77a59c53",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130625Z",
"modified": "2025-04-21T14:20:07.130625Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"target_ref": "vulnerability--6317d395-281c-4677-b1a3-33e588cde84a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--da1781ec-13c1-4766-a330-caf9c16215d5",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130696Z",
"modified": "2025-04-21T14:20:07.130696Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"target_ref": "vulnerability--74b33ffa-a184-4f82-9ba6-1c9e36a48d0a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3ec562b6-4d45-49f9-be8d-3abf5bcefa4a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130769Z",
"modified": "2025-04-21T14:20:07.130769Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"target_ref": "vulnerability--f099f3a2-1727-4d77-8af8-59143592e245",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--47402e4b-adca-476a-aae3-23138edc007d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.13084Z",
"modified": "2025-04-21T14:20:07.13084Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"target_ref": "vulnerability--f7fb3293-88cf-4896-bbff-bc1e04a17a48",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9741e71d-9745-4612-af51-e3712978e216",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.13091Z",
"modified": "2025-04-21T14:20:07.13091Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"target_ref": "vulnerability--027d72fa-4254-45ac-b2b0-c90578336f92",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--09499b6a-81b7-441f-b19b-8b0fd46c05be",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.130981Z",
"modified": "2025-04-21T14:20:07.130981Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--81a41f54-32ce-43fe-aa92-fd364722a028",
"target_ref": "vulnerability--20e1c1fe-e1de-4a80-a22e-3184f9484736",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a6c97618-2746-4de3-ae66-03fadbbecb49",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131052Z",
"modified": "2025-04-21T14:20:07.131052Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--f9ef47ac-0b44-498e-b15d-370fdfd65b9d",
"target_ref": "vulnerability--0a7390e5-fb6a-4f05-84dd-1cce5466d1de",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--33046082-bebe-45a8-b0b1-f2a13a1059e6",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131122Z",
"modified": "2025-04-21T14:20:07.131122Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"target_ref": "vulnerability--c8299e63-c1ee-4bbc-8486-2e7b5a5d1cad",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--efb8d500-8f7f-4eb5-8c2f-856e95d5dbb7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131193Z",
"modified": "2025-04-21T14:20:07.131193Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"target_ref": "vulnerability--6f00418f-9859-4fce-966f-ffa7a4913525",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--eabc9041-7c8a-43ac-88de-c855b48ebcc8",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131263Z",
"modified": "2025-04-21T14:20:07.131263Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"target_ref": "vulnerability--13394383-1d88-4ee4-b2b9-0f26fc03a657",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--fd6f2bca-c2ca-4acb-9831-8c60f62b9620",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131334Z",
"modified": "2025-04-21T14:20:07.131334Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"target_ref": "vulnerability--d0ee8c9b-3b69-450d-897c-f1cb463bcb47",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--23866ba8-81a4-4dbf-a5b9-00188d37aa8b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131405Z",
"modified": "2025-04-21T14:20:07.131405Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"target_ref": "vulnerability--a71049a8-bfe9-47cf-a645-2b3d04cd3bdb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--39f66e14-03a3-4d29-b3a6-caa12f7afe95",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131479Z",
"modified": "2025-04-21T14:20:07.131479Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"target_ref": "vulnerability--7da95ae6-55cf-4cdc-ae5a-da0f86688cfb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2c35ac11-fcfb-43aa-a814-fde093a33e8b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131549Z",
"modified": "2025-04-21T14:20:07.131549Z",
"relationship_type": "relates-to",
"source_ref": "x-mitre-emb3d-property--96b75bc0-f81a-439c-b3b7-e48bb4bca882",
"target_ref": "vulnerability--d15cb2c2-6c8d-4864-8813-21ccab54ede2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3a911f3b-8ae7-4a38-a89e-860de1d45fdd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131621Z",
"modified": "2025-04-21T14:20:07.131621Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--137cfbd1-5448-4004-80e4-c91d64b6908d",
"target_ref": "x-mitre-emb3d-property--90355a0d-2436-492a-b12d-d6ff225e147b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e20f2e91-54c4-4d06-9943-323217d55ef9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131693Z",
"modified": "2025-04-21T14:20:07.131693Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--7ba10f14-1478-415b-92b5-48ee38b343ef",
"target_ref": "x-mitre-emb3d-property--90355a0d-2436-492a-b12d-d6ff225e147b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--5203842f-44ae-4070-b1e5-aee032b7db0f",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131764Z",
"modified": "2025-04-21T14:20:07.131764Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--bc01054b-a804-48bd-bb5a-52d5c9134a4f",
"target_ref": "x-mitre-emb3d-property--90355a0d-2436-492a-b12d-d6ff225e147b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--17ce168b-2853-4352-9a70-88bfa0354088",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131839Z",
"modified": "2025-04-21T14:20:07.131839Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--3639c98e-9721-47b2-b13f-1ab86857b825",
"target_ref": "x-mitre-emb3d-property--90355a0d-2436-492a-b12d-d6ff225e147b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9f5660fe-91a6-4275-9d09-ab3bdf3dc331",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.131909Z",
"modified": "2025-04-21T14:20:07.131909Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--7b5204f1-e1e5-48b6-be43-5d38cc64c276",
"target_ref": "x-mitre-emb3d-property--3639c98e-9721-47b2-b13f-1ab86857b825",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--08761f2f-c74e-48f2-85ea-4b7d27ef03e5",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.13198Z",
"modified": "2025-04-21T14:20:07.13198Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--815ca225-8476-4fad-b768-e34a9e4f58cc",
"target_ref": "x-mitre-emb3d-property--19829b9d-aef5-413b-a417-00a4be77b853",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b5b11794-f0bc-477e-8fb2-5ad8ad3548fd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132051Z",
"modified": "2025-04-21T14:20:07.132051Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--998a734a-dd67-4b2d-9ed6-db3ddc4c8dbe",
"target_ref": "x-mitre-emb3d-property--19829b9d-aef5-413b-a417-00a4be77b853",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1e1f31fe-fe57-4a30-84fc-bf85bd1085fa",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132121Z",
"modified": "2025-04-21T14:20:07.132121Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--a9e8e3a2-9fbe-43d3-8ced-39226f4e1e0b",
"target_ref": "x-mitre-emb3d-property--998a734a-dd67-4b2d-9ed6-db3ddc4c8dbe",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--636c4430-8131-4d01-8387-0f0e35d06c01",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132198Z",
"modified": "2025-04-21T14:20:07.132198Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--5839bf34-03de-47df-976f-fb4114ac48e7",
"target_ref": "x-mitre-emb3d-property--998a734a-dd67-4b2d-9ed6-db3ddc4c8dbe",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--dfbff02f-50f6-4b02-98dd-c86d48b21c4a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132268Z",
"modified": "2025-04-21T14:20:07.132268Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--fa1c0391-b2a7-4620-8447-46cf966e45a1",
"target_ref": "x-mitre-emb3d-property--5839bf34-03de-47df-976f-fb4114ac48e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8d51d70f-1de5-400f-8aac-90823d334862",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132339Z",
"modified": "2025-04-21T14:20:07.132339Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--accec923-0fd1-47f4-ab96-edb3c09eb98f",
"target_ref": "x-mitre-emb3d-property--5839bf34-03de-47df-976f-fb4114ac48e7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--36840985-cbc5-43bc-88e5-b4ab00e6f06b",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.13241Z",
"modified": "2025-04-21T14:20:07.13241Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--413aeec9-69ab-4a48-ac7c-1379163bb504",
"target_ref": "x-mitre-emb3d-property--b411bc9c-a8ed-4798-9fb3-59e8c48186e2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--64c9bae5-671d-4b60-91c9-b5a179f9d0ba",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132483Z",
"modified": "2025-04-21T14:20:07.132483Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--aff6155a-d857-4442-980b-8826d15e7023",
"target_ref": "x-mitre-emb3d-property--b411bc9c-a8ed-4798-9fb3-59e8c48186e2",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0e6820bf-bc61-4c72-83f7-ee8061aa5c6e",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132555Z",
"modified": "2025-04-21T14:20:07.132555Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--71750a72-94b6-47f4-963b-1ecd0a3516ce",
"target_ref": "x-mitre-emb3d-property--8baa050c-e523-4e31-9a64-583e29dc6c91",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e8818b78-e565-469b-803c-68081cb86ebd",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132626Z",
"modified": "2025-04-21T14:20:07.132626Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--21f48c54-8b40-4d82-9e08-cef9018b9134",
"target_ref": "x-mitre-emb3d-property--8baa050c-e523-4e31-9a64-583e29dc6c91",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4406ab80-4a07-4314-b5b2-70b443a7553a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132697Z",
"modified": "2025-04-21T14:20:07.132697Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--ba633348-d58e-45b6-82c8-9a78e2469777",
"target_ref": "x-mitre-emb3d-property--48538012-7cc5-49c0-bdee-757b53654a81",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--921ab1e1-9b6c-44f2-ac50-64776a01ec63",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132767Z",
"modified": "2025-04-21T14:20:07.132767Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--2c01a6aa-7cdf-486d-af99-900294a4fe8b",
"target_ref": "x-mitre-emb3d-property--48538012-7cc5-49c0-bdee-757b53654a81",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f98de099-0221-4b22-bf1c-5c7dfdd579ff",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132837Z",
"modified": "2025-04-21T14:20:07.132837Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--ad05046b-119d-4b4a-b0d2-079019124339",
"target_ref": "x-mitre-emb3d-property--48538012-7cc5-49c0-bdee-757b53654a81",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b9904682-5ac8-4daa-8c64-d7fc3fda6cff",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132908Z",
"modified": "2025-04-21T14:20:07.132908Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--5476bc8c-82ae-422e-939d-32d5f039eeb1",
"target_ref": "x-mitre-emb3d-property--48538012-7cc5-49c0-bdee-757b53654a81",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d460bb9f-24af-4d94-9678-dce0765c7461",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.132977Z",
"modified": "2025-04-21T14:20:07.132977Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--02e48419-b367-4882-bf01-23eb88acc335",
"target_ref": "x-mitre-emb3d-property--48538012-7cc5-49c0-bdee-757b53654a81",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--cb7916d3-b8a2-4813-9e37-39fb284a7164",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133048Z",
"modified": "2025-04-21T14:20:07.133048Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--b5a35dc5-8153-4b33-a438-2274784af902",
"target_ref": "x-mitre-emb3d-property--2c01a6aa-7cdf-486d-af99-900294a4fe8b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ab0b69f9-e6c8-4dec-a96e-f7a2b8905da1",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133119Z",
"modified": "2025-04-21T14:20:07.133119Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--20883961-33b9-4114-99f9-e2f3ec449708",
"target_ref": "x-mitre-emb3d-property--2c01a6aa-7cdf-486d-af99-900294a4fe8b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2a5d2c64-0e19-4f5d-a8a3-3420dcd8a8b7",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133189Z",
"modified": "2025-04-21T14:20:07.133189Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--ff04daa5-5d69-43ed-9a62-de2169766412",
"target_ref": "x-mitre-emb3d-property--084f8146-e126-46a7-9dc3-b01fd6f45118",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9eeb171b-b008-4ed7-a8fa-39b483e42b85",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133261Z",
"modified": "2025-04-21T14:20:07.133261Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--814af71a-dfa8-4434-bef2-99df781b154a",
"target_ref": "x-mitre-emb3d-property--084f8146-e126-46a7-9dc3-b01fd6f45118",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--887d0f8a-bb2e-4210-ac43-feae73290d11",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133332Z",
"modified": "2025-04-21T14:20:07.133332Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--41b86b81-99c8-438c-8e3d-aea2df315048",
"target_ref": "x-mitre-emb3d-property--814af71a-dfa8-4434-bef2-99df781b154a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3ca14ea5-dfe2-48ef-99c5-b7d101a834b9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133402Z",
"modified": "2025-04-21T14:20:07.133402Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--102fb091-49d4-49f7-907a-164c9518504d",
"target_ref": "x-mitre-emb3d-property--814af71a-dfa8-4434-bef2-99df781b154a",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--a4120dca-5513-4a25-99e9-c5b689edc6d4",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133473Z",
"modified": "2025-04-21T14:20:07.133473Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--165dfa3a-8f68-4f14-bbeb-a7e7077b7532",
"target_ref": "x-mitre-emb3d-property--7c36ce58-fc74-491c-9d87-64d46c93dedb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--11a3c7f5-6acc-4402-b6f7-1f6241416065",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133544Z",
"modified": "2025-04-21T14:20:07.133544Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--6873f6c6-609a-468f-a9d5-76a0bd106930",
"target_ref": "x-mitre-emb3d-property--7c36ce58-fc74-491c-9d87-64d46c93dedb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--0318dd8e-eca0-4e24-bd90-307cd05305fe",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133622Z",
"modified": "2025-04-21T14:20:07.133622Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--d6b1247b-c6a3-4ac6-8883-541da9a7dcc7",
"target_ref": "x-mitre-emb3d-property--7c36ce58-fc74-491c-9d87-64d46c93dedb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b15ad751-1803-4574-b547-e460c9e4a484",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133693Z",
"modified": "2025-04-21T14:20:07.133693Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--c485cdcf-061d-4959-bd84-b5e917755121",
"target_ref": "x-mitre-emb3d-property--7c36ce58-fc74-491c-9d87-64d46c93dedb",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e7e7914f-bde6-45ef-8adf-1ba56968bd57",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133764Z",
"modified": "2025-04-21T14:20:07.133764Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--2ff2030f-ac28-4a68-8367-9e8429d7ca62",
"target_ref": "x-mitre-emb3d-property--d6b1247b-c6a3-4ac6-8883-541da9a7dcc7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b4048079-4234-4029-9188-33101de9280a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.13384Z",
"modified": "2025-04-21T14:20:07.13384Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--84b99f68-0464-4bdb-9618-8f5d5ee8218d",
"target_ref": "x-mitre-emb3d-property--d6b1247b-c6a3-4ac6-8883-541da9a7dcc7",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--70e163d5-fe66-4a31-b5a3-872115b6054c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.13391Z",
"modified": "2025-04-21T14:20:07.13391Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--2977754e-3e27-4961-9e81-0e4dec4a5dda",
"target_ref": "x-mitre-emb3d-property--e810ca8f-47e2-4841-922b-678ffa47862c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--aaf5ffef-35a3-46e3-957b-746f45fa1f37",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.133981Z",
"modified": "2025-04-21T14:20:07.133981Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"target_ref": "x-mitre-emb3d-property--e810ca8f-47e2-4841-922b-678ffa47862c",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1dc16a5b-836a-43f1-8c3b-8702c3a92e8d",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.134051Z",
"modified": "2025-04-21T14:20:07.134051Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--5af30150-0e78-40d0-b8f3-7b0f593e02ad",
"target_ref": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c147dc90-1341-4156-8128-7f2f0e98e48c",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.134121Z",
"modified": "2025-04-21T14:20:07.134121Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--8ee39f7b-bcd8-40c4-b51c-8d76b1d06fcc",
"target_ref": "x-mitre-emb3d-property--6c135502-9799-4c53-bb83-aa21407de25d",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ce00d654-3188-42e1-8b9f-f5ab9b885be9",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.134192Z",
"modified": "2025-04-21T14:20:07.134192Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--3d09f49f-e07a-4bc5-9d96-6c26252103e9",
"target_ref": "x-mitre-emb3d-property--721faa3b-524d-4764-b65d-f629b9600e1b",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c20c0745-5d6a-492b-a693-712c9cb6634a",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.134262Z",
"modified": "2025-04-21T14:20:07.134262Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--81a41f54-32ce-43fe-aa92-fd364722a028",
"target_ref": "x-mitre-emb3d-property--3d09f49f-e07a-4bc5-9d96-6c26252103e9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ce515a1a-e8d6-4477-897b-aeb555ec3c61",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.134332Z",
"modified": "2025-04-21T14:20:07.134332Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--f9ef47ac-0b44-498e-b15d-370fdfd65b9d",
"target_ref": "x-mitre-emb3d-property--3d09f49f-e07a-4bc5-9d96-6c26252103e9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--b64d3da2-19f4-4b15-b496-d7d7adc0a5ee",
"created_by_ref": "identity--e7f3c348-d7b4-411e-8e38-a0b2487230b0",
"created": "2025-04-21T14:20:07.134402Z",
"modified": "2025-04-21T14:20:07.134402Z",
"relationship_type": "subproperty-of",
"source_ref": "x-mitre-emb3d-property--1e982e94-87f8-4889-891d-e1c518ae7c69",
"target_ref": "x-mitre-emb3d-property--3d09f49f-e07a-4bc5-9d96-6c26252103e9",
"x_mitre_emb3d_spec_version": "1.0",
"x_mitre_emb3d_version": "1.0"
}
]
}