Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1279 — Vulnerability Class 2

2 vulnerabilities classified as CWE-1279. AI Chinese analysis included.

CWE-1279 is a critical initialization weakness where cryptographic operations execute before essential supporting hardware units, such as random-number generators, are fully initialized. This vulnerability typically arises in embedded systems or secure enclaves where timing dependencies between components are not strictly managed. Attackers exploit this race condition by triggering encryption before the entropy source is ready, potentially resulting in weak keys, predictable outputs, or complete cryptographic failure. To mitigate this risk, developers must implement robust synchronization mechanisms that verify the readiness of all dependent hardware modules before initiating any cryptographic processes. This often involves polling status registers, using hardware interrupts, or enforcing strict boot sequences that guarantee all security-critical units are operational and validated prior to their first use in sensitive operations.

MITRE CWE Description
Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. Many cryptographic hardware units depend upon other hardware units to supply information to them to produce a securely encrypted result. For example, a cryptographic unit that depends on an external random-number-generator (RNG) unit for entropy must wait until the RNG unit is producing random numbers. If a cryptographic unit retrieves a private encryption key from a fuse unit, the fuse unit must be up and running before a key may be supplied.
Common Consequences (1)
Access Control, Confidentiality, Integrity, Availability, Accountability, Authentication, Authorization, Non-RepudiationVaries by Context
Mitigations (2)
Architecture and DesignBest practices should be used to design cryptographic systems.
ImplementationContinuously ensuring that cryptographic inputs are supplying valid information is necessary to ensure that the encrypted output is secure.
Examples (1)
The following pseudocode illustrates the weak encryption resulting from the use of a pseudo-random-number generator output.
If random_number_generator_self_test_passed() == TRUE then Seed = get_random_number_from_RNG() else Seed = hardcoded_number
Bad · Pseudocode
If random_number_generator_self_test_passed() == TRUE then Seed = get_random_number_from_RNG() else enter_error_state()
Good · Pseudocode
CVE IDTitleCVSSSeverityPublished
CVE-2024-22473 Uninitialized TRNG used for ECDSA after EM2/EM3 sleep for VSE devices — GSDK 6.8 Medium2024-02-21
CVE-2023-4489 Z/IP Gateway Use of Uninitialized PRNG when Generating S0 Encryption Key — Z/IP Gateway SDK 6.4 Medium2023-12-14

Vulnerabilities classified as CWE-1279 represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.