Category: Security Primitives and Cryptography Issues
Draft
Summary
Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | This weakness occurs when a product uses a custom, unverified, or non-compliant implementation of a cryptographic algorithm instead of a trusted, standard solution. |
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | This vulnerability occurs when a device or application relies on a predictable algorithm to generate pseudo-random numbers, making the output sequence foreseeable. |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | This vulnerability occurs when cryptographic processes start before their required dependencies are properly initialized and ready to supply valid data, potentially compromising security. |
| CWE-1351 | Improper Handling of Hardware Behavior in Exceptionally Cold Environments | This weakness occurs when a hardware device or its firmware lacks proper safeguards to maintain security functions when operated in extremely cold temperatures. Designers may fail to anticipate how critical components, like memory or security primitives, behave outside their standard operating range, creating exploitable gaps. |
| CWE-1431 | Driving Intermediate Cryptographic State/Results to Hardware Module Outputs | This vulnerability occurs when a hardware cryptographic module leaks sensitive internal data through its output channels. Instead of only providing the final encrypted or decrypted result, the module inadvertently exposes intermediate calculation states or partial results via its output wires or ports. |
| CWE-203 | Observable Discrepancy | This vulnerability occurs when an application responds differently to unauthorized users based on internal conditions. Attackers can observe these variations—like changes in error messages, timing, or system behavior—to infer sensitive information, such as whether a username exists, a password is incorrect, or a specific operation succeeded. |
| CWE-325 | Missing Cryptographic Step | This vulnerability occurs when a software implementation skips a critical step in a cryptographic process, resulting in security that is significantly weaker than the intended algorithm provides. |
| CWE-1194 | Hardware Design | This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.