VNX-1324 – DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface

Overview

CWE-1324 is a deprecated CWE that originally described hardware debug interfaces (JTAG, SWD, UART debug) that are left enabled in production devices, allowing physical access to extract firmware, read memory, or bypass security controls. For software projects this rule flags firmware-level code patterns that configure or enable debug interfaces. Severity: Low | CWE: CWE-1324 – Sensitive Information Accessible by Physical Probing of JTAG Interface (Deprecated)

Why This Matters

While deprecated as a standalone CWE, the underlying weakness — debug interfaces left enabled in production — remains highly relevant for IoT and embedded systems. Hardware security researchers routinely use exposed JTAG/SWD interfaces to extract firmware, read secret keys from flash memory, and bypass secure boot. This has affected consumer routers, smart TVs, automotive ECUs, and industrial controllers.

What Gets Flagged

// FLAGGED: JTAG enable in firmware
JTAG_ENABLE = 1;

// FLAGGED: Debug mode configuration
DBG_ENABLE = true;
DBGMCU->CR |= DBGMCU_CR_DBG_SLEEP;

// FLAGGED: CoreDebug access
CoreDebug->DHCSR = 0xA05F0001;  // Enable debug

Remediation

For production firmware builds:

1. Disable JTAG/SWD via configuration bits (option bytes on STM32, fuse bits on AVR, etc.)

2. Use build flags to conditionally compile out debug code:

#ifdef PRODUCTION_BUILD
    // Disable debug interfaces
    DBGMCU->APB1FZ = 0;
    DBGMCU->APB2FZ = 0;
    // Lock debug access
    CoreDebug->DHCSR = 0xA05F0000;  // Clear C_DEBUGEN
#endif

3. Burn the JTAG disable fuse during manufacturing for devices that must not be debugged in production.

4. Use a CI build pipeline that enforces PRODUCTION_BUILD is set for release artifacts.

References

• CWE-1324: JTAG Interface (Deprecated)
• ARM Debug Interface Architecture
• JTAG Security Research