CWE-1394: Use of Default Cryptographic Key
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a default cryptographic key for potentially critical functionality.
扩展描述
It is common practice for products to be designed to use default keys. The rationale is to simplify the manufacturing process or the system administrator's task of installation and deployment into an enterprise. However, if admins do not change the defaults, it is easier for attackers to bypass authentication quickly across multiple organizations.
常见后果
影响范围: Authentication
技术影响: Gain Privileges or Assume Identity
潜在缓解措施
阶段: Requirements
描述: Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.
有效性: High
阶段: Architecture and Design
描述: Force the administrator to change the credential upon installation.
有效性: High
阶段: Installation Operation
描述: The product administrator could change the defaults upon installation or during operation.
有效性: Moderate
观察示例
参考: CVE-2018-3825
cloud cluster management product has a default master encryption key
参考: CVE-2016-1561
backup storage product has a default SSH public key in the authorized_keys file, allowing root access
参考: CVE-2010-2306
Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |