Tag Archives: Use of Hard-coded Credentials

CWE-798 – Use of Hard-coded Credentials

Read Time:2 Minute, 15 Second

Description

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-287
CWE-287
CWE-344
CWE-671
CWE-257

 

Consequences

Access Control: Bypass Protection Mechanism

If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question.

Integrity, Confidentiality, Availability, Access Control, Other: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a “first login” mode that requires the user to enter a unique strong password or key.

Phase: Architecture and Design

Effectiveness:

Description: 

If the software must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

CVE References

 

  • CVE-2010-2772
    • SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm
  • CVE-2010-2073
    • FTP server library uses hard-coded usernames and passwords for three default accounts
  • CVE-2010-1573
    • Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code
  • CVE-2008-0961
    • Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface
  • CVE-2008-1160
    • Security appliance uses hard-coded password allowing attackers to gain root access
  • CVE-2006-7142
    • Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs
  • CVE-2005-3716
    • VoIP product uses unchangeable hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information
  • CVE-2005-3803
    • VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information
  • CVE-2005-0496
    • Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system