CWE-798: Use of Hard-coded Credentials
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product contains hard-coded credentials, such as a password or cryptographic key.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
影响范围: Integrity Confidentiality Availability Access Control Other
技术影响: Read Application Data Gain Privileges or Assume Identity Execute Unauthorized Code or Commands Other
潜在缓解措施
阶段: Architecture and Design
阶段: Architecture and Design
描述: For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
阶段: Architecture and Design
描述: If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
阶段: Architecture and Design
阶段: Architecture and Design
检测方法
方法: Black Box
Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.
有效性: Moderate
方法: Automated Static Analysis
Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.
方法: Manual Static Analysis
This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.
方法: Manual Dynamic Analysis
方法: Automated Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Binary or Bytecode
有效性: High
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2022-29953
Condition Monitor firmware has a maintenance interface with hard-coded credentials
参考: CVE-2022-29960
Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation
参考: CVE-2022-29964
Distributed Control System (DCS) has hard-coded passwords for local shell access
参考: CVE-2022-30997
Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials
参考: CVE-2022-30314
Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration
参考: CVE-2022-30271
Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments
参考: CVE-2021-37555
Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]
参考: CVE-2021-35033
Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port
参考: CVE-2012-3503
Installation script has a hard-coded secret token value, allowing attackers to bypass authentication
参考: CVE-2010-2772
SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm
参考: CVE-2010-2073
FTP server library uses hard-coded usernames and passwords for three default accounts
参考: CVE-2010-1573
Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code
参考: CVE-2008-2369
Server uses hard-coded authentication key
参考: CVE-2008-0961
Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface
参考: CVE-2008-1160
Security appliance uses hard-coded password allowing attackers to gain root access
参考: CVE-2006-7142
Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs
参考: CVE-2005-3716
VoIP product uses hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information
参考: CVE-2005-3803
VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information
参考: CVE-2005-0496
Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | MSC03-J | Never hard code sensitive information | - |
| OMG ASCSM | ASCSM-CWE-798 | - | |
| ISA/IEC 62443 | Part 3-3 | Req SR 1.5 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.5 | - |
关键信息
CWE ID: CWE-798
抽象级别: Base
结构: Simple
状态: Draft
利用可能性: High