By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force.
Credentials may be weak for different reasons, such as:
Even if a new, unique credential is intended to be generated for each product installation, if the generation is predictable, then that may also simplify guessing attacks.
Reference | Description |
---|---|
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391) | |
Remote Terminal Unit (RTU) uses default credentials for some SSH accounts | |
Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords | |
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments | |
microcontroller board has default password, allowing admin access | |
data visualization/sharing package uses default secret keys or cookie values if they are not specified in environment variables | |
UART interface for AI speaker uses empty password for root shell | |
password manager does not generate cryptographically strong passwords, allowing prediction of passwords using guessable details such as time of generation | |
password generator for cloud application has small length value, making it easier for brute-force guessing | |
network-attached storage (NAS) system has predictable default passwords for a diagnostics/support account | |
IT asset management app has a default encryption key that is the same across installations | |
Installation script has a hard-coded secret token value, allowing attackers to bypass authentication | |
Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic | |
Residential gateway uses the last 5 digits of the 'Network Name' or SSID as the default WEP key, which allows attackers to get the key by sniffing the SSID, which is sent in the clear |
Name | Organization | Date | Date Release | Version |
---|---|---|---|---|
CWE Content Team | MITRE | 4.9 |
Name | Organization | Date | Comment |
---|---|---|---|
CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References | |
CWE Content Team | MITRE | updated References, Relationships | |
CWE Content Team | MITRE | updated Mapping_Notes, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Observed_Examples, References |