CWE-798 Details

CWE-798

Use of Hard-coded Credentials
Hoch
Draft
2010-02-16
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

Allgemeine Informationen

Einführungsmodi

Architecture and Design : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Technologien

Class: Mobile (Undetermined)
Class: ICS/OT (Often)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
Access ControlBypass Protection Mechanism
Integrity
Confidentiality
Availability
Access Control
Other		Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2022-40263

Software for biological cell analysus has hard-coded credentials, leading to leak of Protected Health Information (PHI)

CVE-2022-29953

Condition Monitor firmware has a maintenance interface with hard-coded credentials

CVE-2022-29960

Engineering Workstation uses hard-coded cryptographic keys that could allow for unathorized filesystem access and privilege escalation

CVE-2022-29964

Distributed Control System (DCS) has hard-coded passwords for local shell access

CVE-2022-30997

Programmable Logic Controller (PLC) has a maintenance service that uses undocumented, hard-coded credentials

CVE-2022-30314

Firmware for a Safety Instrumented System (SIS) has hard-coded credentials for access to boot configuration

CVE-2022-30271

Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments

CVE-2021-37555

Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]

CVE-2021-35033

Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port

CVE-2012-3503

Installation script has a hard-coded secret token value, allowing attackers to bypass authentication

CVE-2010-2772

SCADA system uses a hard-coded password to protect back-end database containing authorization information, exploited by Stuxnet worm

CVE-2010-2073

FTP server library uses hard-coded usernames and passwords for three default accounts

CVE-2010-1573

Chain: Router firmware uses hard-coded username and password for access to debug functionality, which can be used to execute arbitrary code

CVE-2008-2369

Server uses hard-coded authentication key

CVE-2008-0961

Backup product uses hard-coded username and password, allowing attackers to bypass authentication via the RPC interface

CVE-2008-1160

Security appliance uses hard-coded password allowing attackers to gain root access

CVE-2006-7142

Drive encryption product stores hard-coded cryptographic keys for encrypted configuration files in executable programs

CVE-2005-3716

VoIP product uses hard-coded public credentials that cannot be changed, which allows attackers to obtain sensitive information

CVE-2005-3803

VoIP product uses hard coded public and private SNMP community strings that cannot be changed, which allows remote attackers to obtain sensitive information

CVE-2005-0496

Backup product contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system

Mögliche Gegenmaßnahmen

Phases : Architecture and Design
Phases : Architecture and Design
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Phases : Architecture and Design
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Phases : Architecture and Design
Phases : Architecture and Design

Erkennungsmethoden

Black Box

Credential storage in configuration files is findable using black box methods, but the use of hard-coded credentials for an incoming authentication routine typically involves an account that is not visible outside of the code.
Wirksamkeit : Moderate

Automated Static Analysis

Automated white box techniques have been published for detecting hard-coded credentials for incoming authentication, but there is some expert disagreement regarding their effectiveness and applicability to a broad range of methods.

Manual Static Analysis

This weakness may be detectable using manual code analysis. Unless authentication is decentralized and applied throughout the product, there can be sufficient time for the analyst to find incoming authentication routines and examine the program logic looking for usage of hard-coded credentials. Configuration files could also be analyzed.

Manual Dynamic Analysis

Automated Static Analysis - Binary or Bytecode

Wirksamkeit : SOAR Partial

Manual Static Analysis - Binary or Bytecode

Wirksamkeit : High

Dynamic Analysis with Manual Results Interpretation

Wirksamkeit : SOAR Partial

Manual Static Analysis - Source Code

Wirksamkeit : High

Automated Static Analysis - Source Code

Wirksamkeit : High

Automated Static Analysis

Wirksamkeit : SOAR Partial

Architecture or Design Review

Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : While this entry is at a Base level of abstraction, it has lower-level children that cover specific kinds of credentials.
Kommentar : Consider children such as CWE-259 and CWE-321.

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-191 Read Sensitive Constants Within an Executable
CAPEC-70 Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.

Referenzen

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-729

Top 25 Series - Rank 11 - Hardcoded Credentials
Johannes Ullrich.
https://www.sans.org/blog/top-25-series-rank-11-hardcoded-credentials/

REF-172

Mobile App Top 10 List
Chris Wysopal.
https://www.veracode.com/blog/2010/12/mobile-app-top-10-list

REF-962

Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/

REF-1283

OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs.
https://www.forescout.com/resources/ot-icefall-report/

REF-1288

Ethical hacking of a Smart Automatic Feed Dispenser
Julia Lokrantz.
http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf

REF-1304

ICS Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
CWE Content Team MITRE 2010-01-15 +00:00 2010-02-16 +00:00 1.8

Änderungen

Name Organisation Datum Kommentar
CWE Content Team MITRE 2010-04-05 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2010-06-21 +00:00 updated Common_Consequences, References
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-12-13 +00:00 updated Description
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Observed_Examples, Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Applicable_Platforms, References
CWE Content Team MITRE 2014-07-30 +00:00 updated Demonstrative_Examples, Detection_Factors
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-01-19 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-01-03 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2021-07-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-06-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Observed_Examples, References, Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Detection_Factors, Maintenance_Notes, Potential_Mitigations, Taxonomy_Mappings
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Observed_Examples
CWE Content Team MITRE 2024-07-16 +00:00 updated Common_Consequences, Description, Diagram
CWE Content Team MITRE 2024-11-19 +00:00 updated Relationships
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Maintenance_Notes, Mapping_Notes, Observed_Examples, Relationships
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.