Detalle CWE-259

CWE-259

Use of Hard-coded Password
Alto
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Use of Hard-coded Password

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Informaciones generales

Modos de introducción

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Architecture and Design

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Tecnologías

Class: ICS/OT (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
Access ControlGain Privileges or Assume Identity

Note: If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability

Note: A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.

Ejemplos observados

Referencias Descripción

CVE-2022-29964

Distributed Control System (DCS) has hard-coded passwords for local shell access

CVE-2021-37555

Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]

CVE-2021-35033

Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port

Mitigaciones potenciales

Phases : Architecture and Design
For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Phases : Architecture and Design
For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Phases : Architecture and Design
Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Phases : Architecture and Design
Phases : Architecture and Design

Métodos de detección

Manual Analysis

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.

Black Box

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notas

It might be appropriate to split this entry into an inbound variant and an outbound variant. These variants are likely to have different consequences, detectability, etc., although such differences are not suitable for a split. More importantly, from a vulnerability theory perspective, they might be characterized as different behaviors. The difference is in where the hard-coded password is stored - on the component performing the authentication, or the component that is connecting to the external component that requires authentication. However, as with many weaknesses, the "vulnerability topology" should not be regarded as important enough for splits. For example, separate weaknesses do not exist for client-to-server buffer overflows versus server-to-client buffer overflows.

Referencias

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-1283

OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs.
https://www.forescout.com/resources/ot-icefall-report/

REF-1288

Ethical hacking of a Smart Automatic Feed Dispenser
Julia Lokrantz.
http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf

REF-1304

ICS Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
7 Pernicious Kingdoms 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificaciones

Nombre Organización Fecha Comentario
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2008-10-14 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2008-11-13 +00:00 Significant description modifications to emphasize different variants.
CWE Content Team MITRE 2008-11-24 +00:00 updated Demonstrative_Examples, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations
CWE Content Team MITRE 2009-01-12 +00:00 updated Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations, Relationships
CWE Content Team MITRE 2009-03-10 +00:00 updated Potential_Mitigations
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, White_Box_Definitions
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, Relationships
CWE Content Team MITRE 2010-04-05 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2010-06-21 +00:00 updated Detection_Factors, Potential_Mitigations
CWE Content Team MITRE 2010-09-27 +00:00 updated Relationships
CWE Content Team MITRE 2010-12-13 +00:00 updated Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2017-01-19 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-05-03 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, White_Box_Definitions
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships, Type
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples, Maintenance_Notes
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples, Observed_Examples, References
CWE Content Team MITRE 2023-01-31 +00:00 updated Applicable_Platforms, Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Observed_Examples
CWE Content Team MITRE 2025-04-03 +00:00 updated Common_Consequences, Description, Diagram, Maintenance_Notes, Other_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.