CWE-1204 Detail

CWE-1204

Name

Generation of Weak Initialization Vector (IV)

Status

Incomplete

Published

2021-03-15
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Generation of Weak Initialization Vector (IV)

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

CWE Description

By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Confidentiality	Read Application Data Note: If the IV is not properly initialized, data that is encrypted can be compromised and information about the data can be leaked. See [REF-1179].

Observed Examples

References	Description
CVE-2020-1472	ZeroLogon vulnerability - use of a static IV of all zeroes in AES-CFB8 mode
CVE-2011-3389	BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack.
CVE-2001-0161	wireless router does not use 6 of the 24 bits for WEP encryption, making it easier for attackers to decrypt traffic
CVE-2001-0160	WEP card generates predictable IV values, making it easier for attackers to decrypt traffic
CVE-2017-3225	device bootloader uses a zero initialization vector during AES-CBC
CVE-2016-6485	crypto framework uses PHP rand function - which is not cryptographically secure - for an initialization vector
CVE-2014-5386	encryption routine does not seed the random number generator, causing the same initialization vector to be generated repeatedly
CVE-2020-5408	encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality
CVE-2017-17704	messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart
CVE-2017-11133	application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong.
CVE-2007-3528	Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values.

Potential Mitigations

Phases : Implementation

Different cipher modes have different requirements for their IVs. When choosing and implementing a mode, it is important to understand those requirements in order to keep security guarantees intact. Generally, it is safest to generate a random IV, since it will be both unpredictable and have a very low chance of being non-unique. IVs do not have to be kept secret, so if generating duplicate IVs is a concern, a list of already-used IVs can be kept and checked against.

NIST offers recommendations on generation of IVs for modes of which they have approved. These include options for when random IVs are not practical. For CBC, CFB, and OFB, see [REF-1175]; for GCM, see [REF-1178].

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
CAPEC-20	Encryption Brute Forcing An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
CAPEC-97	Cryptanalysis Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).

NotesNotes

As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.

References

REF-1175

Intercepting Mobile Communications: The Insecurity of 802.11
Nikita Borisov, Ian Goldberg, David Wagner.
http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

REF-1175

Intercepting Mobile Communications: The Insecurity of 802.11
Nikita Borisov, Ian Goldberg, David Wagner.
http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

REF-1176

Birthday problem
Wikipedia.
https://en.wikipedia.org/wiki/Birthday_problem

REF-1177

Initialization Vector
Wikipedia.
https://en.wikipedia.org/wiki/Initialization_vector

REF-1178

Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
NIST.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf

REF-1179

CBC Mode is Malleable. Don't trust it for Authentication
Arxum Path Security.
https://arxumpathsecurity.com/blog/2019/10/16/cbc-mode-is-malleable-dont-trust-it-for-authentication

Submission

Name	Organization	Date	Date release	Version
CWE Content Team	MITRE	2021-03-09 +00:00	2021-03-15 +00:00	4.4

Modifications

Name	Organization	Date	Comment
CWE Content Team	MITRE	2021-07-20 +00:00	updated Maintenance_Notes, Observed_Examples, References
CWE Content Team	MITRE	2023-04-27 +00:00	updated References, Relationships, Time_of_Introduction
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes