Key Management Errors
|ID: 320||Date: (C)2012-05-14 (M)2018-09-04|
|Type: category||Status: DRAFT|
Weaknesses in this category are related to errors in the
management of cryptographic keys.
Applicable PlatformsLanguage Class: All
|CWE-320 ChildOf CWE-310 ||Category ||CWE-699 || |
- CVE-2005-2146 : insecure permissions when generating secret key, allowing spoofing
- CVE-2001-1527 : administration passwords in cleartext in executable
- CVE-2000-0762 : default installation of product uses a default encryption key, allowing others to spoof the administrator
- CVE-2002-1947 : static key / global shared key -- "global shared key" - product uses same SSL key for all installations, allowing attackers to eavesdrop or hijack session.
- CVE-2005-4002 : static key / global shared key -- "global shared key" - product uses same secret key for all installations, allowing attackers to decrypt data.
- CVE-2005-2196 : static key / global shared key -- Product uses default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. Overlaps: default.
- CVE-2005-1794 : Exposed or accessible private key (overlaps information exposure) -- Private key stored in executable
- CVE-2001-0072 : Exposed or accessible private key (overlaps information exposure) -- Crypto program imports both public and private keys but does not tell the user about the private keys, possibly breaking the web of trust.
- CVE-2005-3256 : Misc -- Encryption product accidentally selects the wrong key if the key doesn't have additional fields that are normally expected, allowing the owner of the wrong key to decrypt the data.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
|PLOVER || ||Key Management Errors || |