CWE-321: Use of Hard-coded Cryptographic Key

CWE-321: Use of Hard-coded Cryptographic Key | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code examples attempt to verify a password using a hard-coded cryptographic key.

Vulnerable example

int VerifyAdmin(char *password) {

Vulnerable example

java

public boolean VerifyAdmin(String password) {

Vulnerable example

csharp

int VerifyAdmin(String password) {

The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors used hard-coded keys for critical functionality in their OT products.

CWE-321: Use of Hard-coded Cryptographic Key

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-321?

What CVEs are caused by CWE-321?

Is CWE-321 part of the OWASP Top 10?

How do you prevent CWE-321?

How is CWE-321 detected?

What are the consequences of CWE-321?

Is CWE-321 actively exploited?

References

Stay ahead of CWE-321

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-321?

What CVEs are caused by CWE-321?

Is CWE-321 part of the OWASP Top 10?

How do you prevent CWE-321?

How is CWE-321 detected?

What are the consequences of CWE-321?

Is CWE-321 actively exploited?

References

Stay ahead of CWE-321