Inadequate Encryption Strength

Description

This vulnerability occurs when an application protects sensitive information with encryption, but the specific algorithm or key strength used is too weak to withstand modern attack methods.

Extended Description

Using outdated or insufficient encryption—like short keys, deprecated algorithms (e.g., DES, RC4), or weak cipher modes—creates a false sense of security. Attackers can exploit this by running brute-force or cryptanalytic attacks to decrypt data with feasible computing power, potentially exposing credentials, personal data, or financial information. Identifying and upgrading weak encryption across a large codebase can be challenging. An ASPM platform like Plexicus not only detects these patterns through SAST/DAST but uses AI to generate specific remediation guidance, helping teams efficiently enforce strong cryptographic standards throughout their application portfolio.

Common Consequences 1

Scope: Access ControlConfidentiality

Impact: Bypass Protection MechanismRead Application Data

An attacker may be able to decrypt the data using brute force attacks.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

Observed Examples 10

CVE-2001-1546Weak encryption

CVE-2004-2172Weak encryption (chosen plaintext attack)

CVE-2002-1682Weak encryption

CVE-2002-1697Weak encryption produces same ciphertext from the same plaintext blocks.

CVE-2002-1739Weak encryption

CVE-2005-2281Weak encryption scheme

CVE-2002-1872Weak encryption (XOR)

CVE-2002-1910Weak encryption (reversible algorithm).

CVE-2002-1946Weak encryption (one-to-one mapping).

CVE-2002-1975Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).

References 2

Writing Secure Code

Michael Howard and David LeBlanc

Microsoft Press

04-12-2002

https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

ID: REF-7

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

Related Weaknesses

ChildOf:

Protection Mechanism Failure (CWE-693)

Taxonomy Mapping

PLOVER
OWASP Top Ten 2007
OWASP Top Ten 2007
OWASP Top Ten 2004