BaseIncomplete

CWE-1204Generation of Weak Initialization Vector (IV)

Category: other

Description

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive. By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.

Common consequences· 1

  • Confidentiality — Read Application Data
    If the IV is not properly initialized, data that is encrypted can be compromised and information about the data can be leaked. See [REF-1179].

Potential mitigations· 1

  • [Implementation]

Related CAPEC attack patterns· 2

CAPEC-20CAPEC-97

References

  1. https://cwe.mitre.org/data/definitions/1204.html

Exploits (incoming)2

TypeTargetConfidenceTier
AttackPatternCryptanalysiscapec-97100%live
AttackPatternEncryption Brute Forcingcapec-20100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Generation of Predictable IV with CBC Mode
CWE
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE
Use of Insufficiently Random Values
CWE
Inadequate Encryption Strength
CWE
Use of a Broken or Risky Cryptographic Algorithm
CWE
Use of a Cryptographic Primitive with a Risky Implementation
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.