ByteOS Network

CWE-1394:Use of Default Cryptographic Key

Weakness ID:1394

Version:v4.17

Weakness Name:Use of Default Cryptographic Key

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Incomplete

Details Content History Observed CVE Examples Reports

▼Description

The product uses a default cryptographic key for potentially critical functionality.

▼Extended Description

It is common practice for products to be designed to use default keys. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed	B	1392	Use of Default Credentials

Nature: ChildOf

Mapping: Allowed

Type: Base

ID: 1392

Name: Use of Default Credentials

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1396	Comprehensive Categorization: Access Control

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1396

Name: Comprehensive Categorization: Access Control

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-298	Not OS-Specific(os class) Weaknesses
MemberOf	Prohibited	BS	BOSS-301	Not Architecture-Specific (architecture class) Weaknesses
MemberOf	Prohibited	BS	BOSS-307	Not Technology-Specific (technology class) Weaknesses
MemberOf	Prohibited	BS	BOSS-332	Gain Privileges or Assume Identity (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-298

Name: Not OS-Specific(os class) Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-301

Name: Not Architecture-Specific (architecture class) Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-307

Name: Not Technology-Specific (technology class) Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-332

Name: Gain Privileges or Assume Identity (impact)

▼Common Consequences

Scope	Likelihood	Impact	Note
Authentication	N/A	Gain Privileges or Assume Identity	N/A

Scope: Authentication

Likelihood: N/A

Impact: Gain Privileges or Assume Identity

Note:

N/A

▼Potential Mitigations

Phase:Requirements

Effectiveness: High

Description:

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Phase:Architecture and Design

Effectiveness: High

Description:

Force the administrator to change the credential upon installation.

Phase:Installation, Operation

Effectiveness: Moderate

Description:

The product administrator could change the defaults upon installation or during operation.

▼Modes Of Introduction

Phase: Architecture and Design

Note:

N/A

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

Technology

Class: Not Technology-Specific(Undetermined Prevalence)

Operating System

Class: Not OS-Specific(Undetermined Prevalence)

Architecture

Class: Not Architecture-Specific(Undetermined Prevalence)

▼Observed Examples

Reference	Description
CVE-2018-3825	cloud cluster management product has a default master encryption key
CVE-2016-1561	backup storage product has a default SSH public key in the authorized_keys file, allowing root access
CVE-2010-2306	Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic

Reference: CVE-2018-3825

Description:

cloud cluster management product has a default master encryption key

Reference: CVE-2016-1561

Description:

backup storage product has a default SSH public key in the authorized_keys file, allowing root access

Reference: CVE-2010-2306

Description:

Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.