CWE-321: Use of Hard-coded Cryptographic Key
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a hard-coded, unchangeable cryptographic key.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism Gain Privileges or Assume Identity Read Application Data
说明: If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
潜在缓解措施
阶段: Architecture and Design
描述: Prevention schemes mirror that of hard-coded password storage.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2022-29960
Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
参考: CVE-2022-30271
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used by default.
参考: CVE-2020-10884
WiFi router service has a hard-coded encryption key, allowing root access
参考: CVE-2014-2198
Communications / collaboration product has a hardcoded SSH private key, allowing access to root account
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Use of hard-coded cryptographic key | - |
| OWASP Top Ten 2007 | A8 | Insecure Cryptographic Storage | CWE More Specific |
| OWASP Top Ten 2007 | A9 | Insecure Communications | CWE More Specific |
| OWASP Top Ten 2004 | A8 | Insecure Storage | CWE More Specific |
| Software Fault Patterns | SFP33 | Hardcoded sensitive data | - |
| ISA/IEC 62443 | Part 2-4 | Req SP.03.10 RE(1) | - |
| ISA/IEC 62443 | Part 2-4 | Req SP.03.10 RE(3) | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 1.5 | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 4.3 | - |
| ISA/IEC 62443 | Part 4-1 | Req SD-1 | - |
| ISA/IEC 62443 | Part 4-2 | Req SR 4.3 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 7.3 | - |