Description
The product uses a hard-coded, unchangeable cryptographic key.
Potential Impact
Access Control
Bypass Protection Mechanism, Gain Privileges or Assume Identity, Read Application Data
Demonstrative Examples
int VerifyAdmin(char *password) {
if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) {
printf("Incorrect Password!\n");return(0);
}printf("Entering Diagnostic Mode...\n");return(1);
}public boolean VerifyAdmin(String password) {if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {System.out.println("Entering Diagnostic Mode...");return true;}System.out.println("Incorrect Password!");return false;int VerifyAdmin(String password) {if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {Console.WriteLine("Entering Diagnostic Mode...");return(1);}Console.WriteLine("Incorrect Password!");return(0);}Mitigations & Prevention
Prevention schemes mirror that of hard-coded password storage.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-29960 | Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation |
| CVE-2022-30271 | Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default. |
| CVE-2020-10884 | WiFi router service has a hard-coded encryption key, allowing root access |
| CVE-2014-2198 | Communications / collaboration product has a hardcoded SSH private key, allowing access to root account |
Related Weaknesses
Taxonomy Mappings
- CLASP: — Use of hard-coded cryptographic key
- OWASP Top Ten 2007: A8 — Insecure Cryptographic Storage
- OWASP Top Ten 2007: A9 — Insecure Communications
- OWASP Top Ten 2004: A8 — Insecure Storage
- Software Fault Patterns: SFP33 — Hardcoded sensitive data
- ISA/IEC 62443: Part 2-4 — Req SP.03.10 RE(1)
- ISA/IEC 62443: Part 2-4 — Req SP.03.10 RE(3)
- ISA/IEC 62443: Part 3-3 — Req SR 1.5
- ISA/IEC 62443: Part 3-3 — Req SR 4.3
- ISA/IEC 62443: Part 4-1 — Req SD-1
- ISA/IEC 62443: Part 4-2 — Req SR 4.3
- ISA/IEC 62443: Part 4-2 — Req CR 7.3
Frequently Asked Questions
What is CWE-321?
CWE-321 (Use of Hard-coded Cryptographic Key) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses a hard-coded, unchangeable cryptographic key.
How can CWE-321 be exploited?
Attackers can exploit CWE-321 (Use of Hard-coded Cryptographic Key) to bypass protection mechanism, gain privileges or assume identity, read application data. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-321?
Key mitigations include: Prevention schemes mirror that of hard-coded password storage.
What is the severity of CWE-321?
CWE-321 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 4 real-world CVEs.