目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-1204 类漏洞列表 2

CWE-1204 类弱点 2 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1204 属于加密实现缺陷,指系统生成的初始化向量缺乏足够的唯一性或不可预测性。攻击者可利用此弱点通过重放攻击或模式分析破解加密数据,导致信息泄露。开发者应确保 IV 由密码学安全的随机数生成器产生,并严格遵循算法规范,保证每次加密操作的 IV 均唯一且不可预测,从而维护数据机密性。

MITRE CWE 官方描述
CWE:CWE-1204 生成弱初始化向量 (IV) 该产品使用了需要初始化向量 (IV) 的密码学原语,但并未根据该原语预期的密码学要求生成具有足够不可预测性或唯一性的 IV。 根据设计,某些密码学原语(如块密码)要求 IV 必须满足特定属性,以确保 IV 的唯一性和/或不可预测性。不同原语对这些属性的重要程度要求各不相同。如果未能维持这些属性(例如由于代码中的错误),则可能通过直接攻击 IV 来削弱或破坏密码学安全性。
常见影响 (1)
ConfidentialityRead Application Data
If the IV is not properly initialized, data that is encrypted can be compromised and information about the data can be leaked. See [REF-1179].
缓解措施 (1)
ImplementationDifferent cipher modes have different requirements for their IVs. When choosing and implementing a mode, it is important to understand those requirements in order to keep security guarantees intact. Generally, it is safest to generate a random IV, since it will be both unpredictable and have a very low chance of being non-unique. IVs d…
代码示例 (2)
In the following examples, CBC mode is used when encrypting data:
EVP_CIPHER_CTX ctx; char key[EVP_MAX_KEY_LENGTH]; char iv[EVP_MAX_IV_LENGTH]; RAND_bytes(key, b); memset(iv,0,EVP_MAX_IV_LENGTH); EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv);
Bad · C
public class SymmetricCipherTest { public static void main() { byte[] text ="Secret".getBytes(); byte[] iv ={ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; KeyGenerator kg = KeyGenerator.getInstance("DES"); kg.init(56); SecretKey key = kg.generateKey(); Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); IvParameterSpec ips = new IvParameterSpec(iv); cipher.init(Cipher.ENCRYPT_MODE, key, ips); return cipher.doFinal(inpBytes); } }
Bad · Java
The Wired Equivalent Privacy (WEP) protocol used in the 802.11 wireless standard only supported 40-bit keys, and the IVs were only 24 bits, increasing the chances that the same IV would be reused for multiple messages. The IV was included in plaintext as part of the packet, making it directly observable to attackers. Only 5000 messages are needed before a collisi…
CVE ID标题CVSS风险等级Published
CVE-2025-0714 Mobatek MobaXterm 安全漏洞 — MobaXterm 6.5 Medium2025-02-17
CVE-2023-2747 Silicon Labs Gecko SDK 安全漏洞 — GSDK 3.1 Low2023-06-15

CWE-1204 是常见的弱点类别,本平台收录该类弱点关联的 2 条 CVE 漏洞。