Description
The product contains hard-coded credentials, such as a password or cryptographic key.
There are two main variations:
Potential Impact
Access Control
Bypass Protection Mechanism
Integrity, Confidentiality, Availability, Access Control, Other
Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other
Demonstrative Examples
...DriverManager.getConnection(url, "scott", "tiger");...javap -c ConnMngr.class22: ldc #36; //String jdbc:mysql://ixne.com/rxsql24: ldc #38; //String scott26: ldc #17; //String tigerint VerifyAdmin(char *password) {
if (strcmp(password, "Mew!")) {
printf("Incorrect Password!\n");return(0)
}printf("Entering Diagnostic Mode...\n");return(1);
}int VerifyAdmin(String password) {if (!password.equals("Mew!")) {return(0)}//Diagnostic Modereturn(1);}int VerifyAdmin(char *password) {
if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) {
printf("Incorrect Password!\n");return(0);
}printf("Entering Diagnostic Mode...\n");return(1);
}public boolean VerifyAdmin(String password) {if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {System.out.println("Entering Diagnostic Mode...");return true;}System.out.println("Incorrect Password!");return false;int VerifyAdmin(String password) {if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {Console.WriteLine("Entering Diagnostic Mode...");return(1);}Console.WriteLine("Incorrect Password!");return(0);}# Java Web App ResourceBundle properties file
...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword......<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>...Mitigations & Prevention
For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7]. In Windows environments, the Encrypted File System (EFS) may p
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash. Use randomly assigned salts for each separate hash that is generated. This increases t
For front-end to back-end connections: Three solutions are possible, although none are complete.
Detection Methods
- Black Box Moderate — Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.
- Automated Static Analysis — Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.
- Manual Static Analysis — This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Conf
- Manual Dynamic Analysis — For hard-coded credentials in incoming authentication: use monitoring tools that examine the product's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the product was not developed by you, or if you want to veri
- Automated Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
- Manual Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-40263 | Software for biological cell analysus has hard-coded credentials, leading to leak of Protected Health Information (PHI) |
| CVE-2022-29953 | Condition Monitor firmware has a maintenance interface with hard-coded credentials |
| CVE-2022-29960 | Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation |
| CVE-2022-29964 | Distributed Control System (DCS) has hard-coded passwords for local shell access |
| CVE-2022-30997 | Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials |
| CVE-2022-30314 | Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration |
| CVE-2022-30271 | Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments |
| CVE-2021-37555 | Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288] |
| CVE-2021-35033 | Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port |
| CVE-2012-3503 | Installation script has a hard-coded secret token value, allowing attackers to bypass authentication |
| CVE-2010-2772 | SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm |
| CVE-2010-2073 | FTP server library uses hard-coded usernames and passwords for three default accounts |
| CVE-2010-1573 | Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code |
| CVE-2008-2369 | Server uses hard-coded authentication key |
| CVE-2008-0961 | Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface |
Showing 15 of 20 observed examples.
Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): MSC03-J — Never hard code sensitive information
- OMG ASCSM: ASCSM-CWE-798 —
- ISA/IEC 62443: Part 3-3 — Req SR 1.5
- ISA/IEC 62443: Part 4-2 — Req CR 1.5
Frequently Asked Questions
What is CWE-798?
CWE-798 (Use of Hard-coded Credentials) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product contains hard-coded credentials, such as a password or cryptographic key.
How can CWE-798 be exploited?
Attackers can exploit CWE-798 (Use of Hard-coded Credentials) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-798?
Key mitigations include: For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all out
What is the severity of CWE-798?
CWE-798 is classified as a Base-level weakness (Medium abstraction). It has been observed in 20 real-world CVEs.