Description
The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.
By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.
Potential Impact
Confidentiality
Read Application Data
Demonstrative Examples
EVP_CIPHER_CTX ctx;char key[EVP_MAX_KEY_LENGTH];char iv[EVP_MAX_IV_LENGTH];RAND_bytes(key, b);memset(iv,0,EVP_MAX_IV_LENGTH);EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv);public class SymmetricCipherTest {
public static void main() {
byte[] text ="Secret".getBytes();byte[] iv ={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};KeyGenerator kg = KeyGenerator.getInstance("DES");kg.init(56);SecretKey key = kg.generateKey();Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");IvParameterSpec ips = new IvParameterSpec(iv);cipher.init(Cipher.ENCRYPT_MODE, key, ips);return cipher.doFinal(inpBytes);
}
}Mitigations & Prevention
Different cipher modes have different requirements for their IVs. When choosing and implementing a mode, it is important to understand those requirements in order to keep security guarantees intact. Generally, it is safest to generate a random IV, since it will be both unpredictable and have a very low chance of being non-unique. IVs do not have to be kept secret, so if generating duplicate IVs is a concern, a list of a
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2020-1472 | ZeroLogon vulnerability - use of a static IV of all zeroes in AES-CFB8 mode |
| CVE-2011-3389 | BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack. |
| CVE-2001-0161 | wireless router does not use 6 of the 24 bits for WEP encryption, making it easier for attackers to decrypt traffic |
| CVE-2001-0160 | WEP card generates predictable IV values, making it easier for attackers to decrypt traffic |
| CVE-2017-3225 | device bootloader uses a zero initialization vector during AES-CBC |
| CVE-2016-6485 | crypto framework uses PHP rand function - which is not cryptographically secure - for an initialization vector |
| CVE-2014-5386 | encryption routine does not seed the random number generator, causing the same initialization vector to be generated repeatedly |
| CVE-2020-5408 | encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality |
| CVE-2017-17704 | messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart |
| CVE-2017-11133 | application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong. |
| CVE-2007-3528 | Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV va |
Related Weaknesses
Frequently Asked Questions
What is CWE-1204?
CWE-1204 (Generation of Weak Initialization Vector (IV)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected...
How can CWE-1204 be exploited?
Attackers can exploit CWE-1204 (Generation of Weak Initialization Vector (IV)) to read application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-1204?
Key mitigations include: Different cipher modes have different requirements for their IVs. When choosing and implementing a mode, it is important to understand those requirements in order to keep
What is the severity of CWE-1204?
CWE-1204 is classified as a Base-level weakness (Medium abstraction). It has been observed in 11 real-world CVEs.