Description
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Modes of Introduction:
– Architecture and Design
Likelihood of Exploit: High
Related Weaknesses
CWE-287
CWE-287
CWE-344
CWE-671
CWE-257
Consequences
Access Control: Bypass Protection Mechanism
If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question.
Integrity, Confidentiality, Availability, Access Control, Other: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other
This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.
Potential Mitigations
Phase: Architecture and Design
Effectiveness:
Description:
Phase: Architecture and Design
Effectiveness:
Description:
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a “first login” mode that requires the user to enter a unique strong password or key.
Phase: Architecture and Design
Effectiveness:
Description:
If the software must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Phase: Architecture and Design
Effectiveness:
Description:
Phase: Architecture and Design
Effectiveness:
Description:
CVE References
- CVE-2010-2772
- SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm
- CVE-2010-2073
- FTP server library uses hard-coded usernames and passwords for three default accounts
- CVE-2010-1573
- Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code
- CVE-2008-2369
- Server uses hard-coded authentication key
- CVE-2008-0961
- Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface
- CVE-2008-1160
- Security appliance uses hard-coded password allowing attackers to gain root access
- CVE-2006-7142
- Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs
- CVE-2005-3716
- VoIP product uses unchangeable hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information
- CVE-2005-3803
- VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information
- CVE-2005-0496
- Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system