{"@ID": "321", "@Name": "Use of Hard-coded Cryptographic Key", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-321-Diagram.png", "Description": "The product uses a hard-coded, unchangeable cryptographic key.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "798", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "798", "@View_ID": "1305", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "798", "@View_ID": "1340", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "ICS/OT", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": ["Bypass Protection Mechanism", "Gain Privileges or Assume Identity", "Read Application Data"], "Note": "If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use  of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Architecture and Design", "Description": "Prevention schemes mirror that of hard-coded password storage."}}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-92", "Intro_Text": "The following code examples attempt to verify a password using a hard-coded cryptographic key.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "#text": "printf(\"Incorrect Password!\\n\");return(0);"}}, "xhtml:br": [null, null], "#text": "if (strcmp(password,\"68af404b513073584c4b6f22b6c63e6b\")) {}printf(\"Entering Diagnostic Mode...\\n\");return(1);"}}, "#text": "int VerifyAdmin(char *password) {}"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "System.out.println(\"Entering Diagnostic Mode...\");return true;"}, "xhtml:br": [null, null], "#text": "if (password.equals(\"68af404b513073584c4b6f22b6c63e6b\")) {}System.out.println(\"Incorrect Password!\");return false;"}, "#text": "public boolean VerifyAdmin(String password) {"}}, {"@Nature": "Bad", "@Language": "C#", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "Console.WriteLine(\"Entering Diagnostic Mode...\");return(1);"}, "xhtml:br": [null, null], "#text": "if (password.Equals(\"68af404b513073584c4b6f22b6c63e6b\")) {}Console.WriteLine(\"Incorrect Password!\");return(0);"}, "#text": "int VerifyAdmin(String password) {}"}}], "Body_Text": "The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system."}, {"@Demonstrative_Example_ID": "DX-153", "Intro_Text": "In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were \"insecure by design\" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.", "Body_Text": "Multiple vendors used hard-coded keys for critical functionality in their OT products."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2022-29960", "Description": "Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-29960"}, {"Reference": "CVE-2022-30271", "Description": "Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-30271"}, {"Reference": "CVE-2020-10884", "Description": "WiFi router service has a hard-coded encryption key, allowing root access", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-10884"}, {"Reference": "CVE-2014-2198", "Description": "Communications / collaboration product has a hardcoded SSH private key, allowing access to root account", "Link": "https://www.cve.org/CVERecord?id=CVE-2014-2198"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "CLASP", "Entry_Name": "Use of hard-coded cryptographic key"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A8", "Entry_Name": "Insecure Cryptographic Storage", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A9", "Entry_Name": "Insecure Communications", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A8", "Entry_Name": "Insecure Storage", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP33", "Entry_Name": "Hardcoded sensitive data"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 2-4", "Entry_Name": "Req SP.03.10 RE(1)"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 2-4", "Entry_Name": "Req SP.03.10 RE(3)"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 3-3", "Entry_Name": "Req SR 1.5"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 3-3", "Entry_Name": "Req SR 4.3"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SD-1"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req SR 4.3"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req CR 7.3"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-18"}, {"@External_Reference_ID": "REF-1283"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Other", "#text": "The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password."}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Organization": "Veracode", "Modification_Date": "2008-08-15", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Suggested OWASP Top Ten 2004 mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Demonstrative_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Demonstrative_Examples, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated References, Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms, Maintenance_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Common_Consequences, Description, Diagram"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Maintenance_Notes, Relationships, Weakness_Ordinalities"}], "Contribution": [{"@Type": "Content", "Contribution_Name": "\"Mapping CWE to 62443\" Sub-Working Group", "Contribution_Organization": "CWE-CAPEC ICS/OT SIG", "Contribution_Date": "2023-01-24", "Contribution_Version": "4.10", "Contribution_ReleaseDate": "2023-01-31", "Contribution_Comment": "Suggested mappings to ISA/IEC 62443."}, {"@Type": "Content", "Contribution_Name": "\"Mapping CWE to 62443\" Sub-Working Group", "Contribution_Organization": "CWE-CAPEC ICS/OT SIG", "Contribution_Date": "2023-04-25", "Contribution_Comment": "Suggested mappings to ISA/IEC 62443."}]}}
