Use of Default Cryptographic Key

Description

This vulnerability occurs when a system uses a pre-configured, publicly known cryptographic key for security-critical operations instead of generating a unique one.

Extended Description

Developers and manufacturers sometimes embed default cryptographic keys to simplify initial setup, manufacturing, or deployment. While convenient, this practice creates a severe security flaw if these keys are never changed, as they become a universal 'master key' known to attackers. Attackers can exploit this by using the publicly available default key to bypass authentication, decrypt sensitive data, or forge communications across every system that hasn't been properly configured. To prevent this, systems must be designed to require unique, strong keys generated during installation or first use, and administrators must be clearly prompted to change any defaults.

Common Consequences 1

Scope: Authentication

Impact: Gain Privileges or Assume Identity

Potential Mitigations 3

Phase: Requirements

Prohibit use of default, hard-coded, or other values that do not vary for each installation of the product - especially for separate organizations.

Effectiveness: High

Phase: Architecture and Design

Force the administrator to change the credential upon installation.

Effectiveness: High

Phase: InstallationOperation

The product administrator could change the defaults upon installation or during operation.

Effectiveness: Moderate

Observed Examples 3

CVE-2018-3825cloud cluster management product has a default master encryption key

CVE-2016-1561backup storage product has a default SSH public key in the authorized_keys file, allowing root access

CVE-2010-2306Intrusion Detection System (IDS) uses the same static, private SSL keys for multiple devices and installations, allowing decryption of SSL traffic