English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CWE-1204 Detail

CWE-1204

Generation of Weak Initialization Vector (IV)
Incomplete
2021-03-15 00:00 +00:00
2023-06-29 00:00 +00:00
CWE Mitre.org

Alerte pour un CWE

Stay informed of any changes for a specific CWE.
Alert management

Generation of Weak Initialization Vector (IV)

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

Extended Description

By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.

Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
ConfidentialityRead Application Data

Note: If the IV is not properly initialized, data that is encrypted can be compromised and information about the data can be leaked. See [REF-1179].

Observed Examples

Reference Description
CVE-2020-1472ZeroLogon vulnerability - use of a static IV of all zeroes in AES-CFB8 mode
CVE-2011-3389BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack.
CVE-2001-0161wireless router does not use 6 of the 24 bits for WEP encryption, making it easier for attackers to decrypt traffic
CVE-2001-0160WEP card generates predictable IV values, making it easier for attackers to decrypt traffic
CVE-2017-3225device bootloader uses a zero initialization vector during AES-CBC
CVE-2016-6485crypto framework uses PHP rand function - which is not cryptographically secure - for an initialization vector
CVE-2014-5386encryption routine does not seed the random number generator, causing the same initialization vector to be generated repeatedly
CVE-2020-5408encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality
CVE-2017-17704messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart
CVE-2017-11133application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong.
CVE-2007-3528Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values.

Potential Mitigations

Phases : Implementation

Different cipher modes have different requirements for their IVs. When choosing and implementing a mode, it is important to understand those requirements in order to keep security guarantees intact. Generally, it is safest to generate a random IV, since it will be both unpredictable and have a very low chance of being non-unique. IVs do not have to be kept secret, so if generating duplicate IVs is a concern, a list of already-used IVs can be kept and checked against.

NIST offers recommendations on generation of IVs for modes of which they have approved. These include options for when random IVs are not practical. For CBC, CFB, and OFB, see [REF-1175]; for GCM, see [REF-1178].


Vulnerability Mapping Notes

Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-20 Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
CAPEC-97 Cryptanalysis
Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).

Notes

As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.

References

REF-1175

Intercepting Mobile Communications: The Insecurity of 802.11
Nikita Borisov, Ian Goldberg, David Wagner.
http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

REF-1175

Intercepting Mobile Communications: The Insecurity of 802.11
Nikita Borisov, Ian Goldberg, David Wagner.
http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

REF-1176

Birthday problem
Wikipedia.
https://en.wikipedia.org/wiki/Birthday_problem

REF-1177

Initialization Vector
Wikipedia.
https://en.wikipedia.org/wiki/Initialization_vector

REF-1178

Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
NIST.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf

REF-1179

CBC Mode is Malleable. Don't trust it for Authentication
Arxum Path Security.
https://arxumpathsecurity.com/blog/2019/10/16/cbc-mode-is-malleable-dont-trust-it-for-authentication

Submission

Name Organization Date Date Release Version
CWE Content Team MITRE 2021-03-09 +00:00 2021-03-15 +00:00 4.4

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2021-07-20 +00:00 updated Maintenance_Notes, Observed_Examples, References
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.