CWE-1391

ClassIncomplete

View on MITRE

Use of Weak Credentials

The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.

34 linked vulnerabilities

1 related weaknesses

Extended Description

Hard-coded (i.e., static and unchangeable by the administrator)
Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator)
Predictable (i.e., generated in a way that produces unique credentials across deployments/installations, but can still be guessed with reasonable efficiency)
Previously Compromised (i.e., "leaked" credentials that were published as part of a data breach)

Architecture and Design

Operation

When the user changes or sets a password, check the password against a database of already compromised or breached passwords. These passwords are likely to be used in password guessing attacks.

Access Control

Bypass Protection Mechanism

An adversary could bypass intended authentication restrictions.

Modes of Introduction

Requirements

Architecture and Design

Installation

Operation

Related Weaknesses

CWE-1390ChildOf

Example CVEs (15)

[REF-1374]

Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)

CVE-2022-30270

Remote Terminal Unit (RTU) uses default credentials for some SSH accounts

CVE-2022-29965

Distributed Control System (DCS) uses a deterministic algorithm to generate utility passwords

CVE-2022-30271

Remote Terminal Unit (RTU) uses a hard-coded SSH private key that is likely to be used in typical deployments

CVE-2021-38759

microcontroller board has default password, allowing admin access

External Links

MITRE CWE Database