{"@ID": "329", "@Name": "Generation of Predictable IV with CBC Mode", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.", "Extended_Description": {"xhtml:p": "CBC mode eliminates a weakness of Electronic Code\n\t   Book (ECB) mode by allowing identical plaintext blocks to\n\t   be encrypted to different ciphertext blocks. This is\n\t   possible by the XOR-ing of an IV with the initial plaintext\n\t   block so that every plaintext block in the chain is XOR'd\n\t   with a different value before encryption. If IVs are\n\t   reused, then identical plaintexts would be encrypted to\n\t   identical ciphertexts. However, even if IVs are not\n\t   identical but are predictable, then they still break the\n\t   security of CBC mode against Chosen Plaintext Attacks\n\t   (CPA)."}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1204", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "573", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "ICS/OT", "@Prevalence": "Undetermined"}}, "Background_Details": {"Background_Detail": {"xhtml:p": ["CBC mode is a commonly used mode of operation for a\n\t      block cipher. It works by XOR-ing an IV with the initial\n\t      block of a plaintext prior to encryption and then\n\t      XOR-ing each successive block of plaintext with the\n\t      previous block of ciphertext before encryption.", "When used properly, CBC mode provides security against\n\t\tchosen plaintext attacks. Having an unpredictable IV\n\t\tis a crucial underpinning of this. See [REF-1171]."], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "C_0 = IV\n\t\tC_i = E_k{M_i XOR C_{i-1}}"}}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "Developers might dismiss the importance of an unpredictable IV and choose an easier implementation to save effort, weakening the scheme in the process."}}, "Likelihood_Of_Exploit": "Medium", "Common_Consequences": {"Consequence": {"Scope": "Confidentiality", "Impact": "Read Application Data", "Note": "If the IV is not properly initialized, data that is encrypted can be compromised and leak information."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Implementation", "Description": "NIST recommends two methods of generating unpredictable IVs for CBC mode [REF-1172]. The first is to generate the IV randomly. The second method is to encrypt a nonce with the same key and cipher to be used to encrypt the plaintext. In this case the nonce must be unique but can be predictable, since the block cipher will act as a pseudo random permutation."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-143", "Intro_Text": "In the following examples, CBC mode is used when encrypting data:", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "#text": "EVP_CIPHER_CTX ctx;char key[EVP_MAX_KEY_LENGTH];char iv[EVP_MAX_IV_LENGTH];RAND_bytes(key, b);memset(iv,0,EVP_MAX_IV_LENGTH);EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv);"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00"}, "#text": "byte[] text =\"Secret\".getBytes();byte[] iv ={};KeyGenerator kg = KeyGenerator.getInstance(\"DES\");kg.init(56);SecretKey key = kg.generateKey();Cipher cipher = Cipher.getInstance(\"DES/CBC/PKCS5Padding\");IvParameterSpec ips = new IvParameterSpec(iv);cipher.init(Cipher.ENCRYPT_MODE, key, ips);return cipher.doFinal(inpBytes);"}}, "#text": "public static void main() {}"}}, "#text": "public class SymmetricCipherTest {}"}}], "Body_Text": "In both of these examples, the initialization vector (IV) is always a block of zeros. This makes the resulting cipher text much more predictable and susceptible to a dictionary attack."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2020-5408", "Description": "encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-5408"}, {"Reference": "CVE-2017-17704", "Description": "messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart", "Link": "https://www.cve.org/CVERecord?id=CVE-2017-17704"}, {"Reference": "CVE-2017-11133", "Description": "application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong.", "Link": "https://www.cve.org/CVERecord?id=CVE-2017-11133"}, {"Reference": "CVE-2007-3528", "Description": "Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-3528"}, {"Reference": "CVE-2011-3389", "Description": "BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack.", "Link": "https://www.cve.org/CVERecord?id=CVE-2011-3389"}]}, "Functional_Areas": {"Functional_Area": "Cryptography"}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "CLASP", "Entry_Name": "Not using a random IV with CBC mode"}}, "References": {"Reference": [{"@External_Reference_ID": "REF-62", "@Section": "Chapter 2, \"Initialization Vectors\", Page 42"}, {"@External_Reference_ID": "REF-18"}, {"@External_Reference_ID": "REF-1171"}, {"@External_Reference_ID": "REF-1172", "@Section": "Appendix C"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "As of CWE 4.5, terminology related to randomness, entropy, and\n\t   predictability can vary widely. Within the developer and other\n\t   communities, \"randomness\" is used heavily. However, within\n\t   cryptography, \"entropy\" is distinct, typically implied as a\n\t   measurement. There are no commonly-used definitions, even within\n\t   standards documents and cryptography papers. Future versions of\n\t   CWE will attempt to define these terms and, if necessary,\n\t   distinguish between them in ways that are appropriate for\n\t   different communities but do not reduce the usability of CWE for\n\t   mapping, understanding, or other scenarios."}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Background_Details, Common_Consequences, Functional_Areas, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Demonstrative_Examples, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Description, Maintenance_Notes, Name, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Modes_of_Introduction, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships, Weakness_Ordinalities"}], "Previous_Entry_Name": [{"@Date": "2021-03-15", "#text": "Not Using a Random IV with CBC Mode"}, {"@Date": "2021-07-20", "#text": "Not Using an Unpredictable IV with CBC Mode"}]}}
