CWE-329: Generation of Predictable IV with CBC Mode
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: If the IV is not properly initialized, data that is encrypted can be compromised and leak information.
潜在缓解措施
阶段: Implementation
描述: NIST recommends two methods of generating unpredictable IVs for CBC mode [REF-1172]. The first is to generate the IV randomly. The second method is to encrypt a nonce with the same key and cipher to be used to encrypt the plaintext. In this case the nonce must be unique but can be predictable, since the block cipher will act as a pseudo random permutation.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2020-5408
encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality
参考: CVE-2017-17704
messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart
参考: CVE-2017-11133
application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong.
参考: CVE-2007-3528
Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values.
参考: CVE-2011-3389
BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | Developers might dismiss the importance of an unpredictable IV and choose an easier implementation to save effort, weakening the scheme in the process. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Not using a random IV with CBC mode | - |