CWE-321: Use of Hard-coded Cryptographic Key

Description

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

The following code examples attempt to verify a password using a hard-coded cryptographic key.


printf("Incorrect Password!\n");return(0);
if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) {}printf("Entering Diagnostic Mode...\n");return(1);int VerifyAdmin(char *password) {}

System.out.println("Entering Diagnostic Mode...");return true;
if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {}System.out.println("Incorrect Password!");return false;public boolean VerifyAdmin(String password) {

Console.WriteLine("Entering Diagnostic Mode...");return(1);
if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {}Console.WriteLine("Incorrect Password!");return(0);int VerifyAdmin(String password) {}

The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.

Example - 2

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors used hard-coded keys for critical functionality in their OT products.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 16, 2024 19:32