CWE-259 Detalhe

CWE-259

Use of Hard-coded Password
Alta
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificações para um CWE
Fique informado sobre quaisquer alterações para um CWE específico.
Gerenciar notificações

Nome: Use of Hard-coded Password

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Informações Gerais

Modos de Introdução

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Architecture and Design

Plataformas Aplicáveis

Linguagem

Class: Not Language-Specific (Undetermined)

Tecnologias

Class: ICS/OT (Undetermined)

Consequências Comuns

Escopo Impacto Probabilidade
Access ControlGain Privileges or Assume Identity

Note: If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability

Note: A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.

Exemplos Observados

Referências Descrição

CVE-2022-29964

Distributed Control System (DCS) has hard-coded passwords for local shell access

CVE-2021-37555

Telnet service for IoT feeder for dogs and cats has hard-coded password [REF-1288]

CVE-2021-35033

Firmware for a WiFi router uses a hard-coded password for a BusyBox shell, allowing bypass of authentication through the UART port

Mitigações Potenciais

Phases : Architecture and Design
For outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Phases : Architecture and Design
For inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Phases : Architecture and Design
Perform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Phases : Architecture and Design
Phases : Architecture and Design

Métodos de Detecção

Manual Analysis

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.

Black Box

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Eficácia : High

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentário : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Notas

It might be appropriate to split this entry into an inbound variant and an outbound variant. These variants are likely to have different consequences, detectability, etc., although such differences are not suitable for a split. More importantly, from a vulnerability theory perspective, they might be characterized as different behaviors. The difference is in where the hard-coded password is stored - on the component performing the authentication, or the component that is connecting to the external component that requires authentication. However, as with many weaknesses, the "vulnerability topology" should not be regarded as important enough for splits. For example, separate weaknesses do not exist for client-to-server buffer overflows versus server-to-client buffer overflows.

Referências

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-1283

OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management
Forescout Vedere Labs.
https://www.forescout.com/resources/ot-icefall-report/

REF-1288

Ethical hacking of a Smart Automatic Feed Dispenser
Julia Lokrantz.
http://kth.diva-portal.org/smash/get/diva2:1561552/FULLTEXT01.pdf

REF-1304

ICS Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords
ICS-CERT.
https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01

Submissão

Nome Organização Data Data de lançamento Version
7 Pernicious Kingdoms 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificações

Nome Organização Data Comentário
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2008-10-14 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2008-11-13 +00:00 Significant description modifications to emphasize different variants.
CWE Content Team MITRE 2008-11-24 +00:00 updated Demonstrative_Examples, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations
CWE Content Team MITRE 2009-01-12 +00:00 updated Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations, Relationships
CWE Content Team MITRE 2009-03-10 +00:00 updated Potential_Mitigations
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated Demonstrative_Examples, Related_Attack_Patterns, White_Box_Definitions
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, Relationships
CWE Content Team MITRE 2010-04-05 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2010-06-21 +00:00 updated Detection_Factors, Potential_Mitigations
CWE Content Team MITRE 2010-09-27 +00:00 updated Relationships
CWE Content Team MITRE 2010-12-13 +00:00 updated Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2017-01-19 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-05-03 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, White_Box_Definitions
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships, Type
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples, Maintenance_Notes
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Demonstrative_Examples, Observed_Examples, References
CWE Content Team MITRE 2023-01-31 +00:00 updated Applicable_Platforms, Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Observed_Examples
CWE Content Team MITRE 2025-04-03 +00:00 updated Common_Consequences, Description, Diagram, Maintenance_Notes, Other_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Relationships
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.