目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-327 使用已被攻破或存在风险的密码学算法 类漏洞列表 256

CWE-327 使用已被攻破或存在风险的密码学算法 类弱点 256 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-327指使用已损坏或存在风险加密算法的漏洞。攻击者常利用弱算法(如MD5、DES)破解数据,窃取敏感信息或篡改内容。开发者应避免使用已知不安全的算法,优先采用AES、SHA-256等现代标准,并定期审查加密实现,确保密钥管理安全,以保障数据机密性与完整性。

MITRE CWE 官方描述
CWE:CWE-327 使用损坏或有风险的加密算法 (Use of a Broken or Risky Cryptographic Algorithm) 英文:The product uses a broken or risky cryptographic algorithm or protocol. 译文:该产品使用了损坏或有风险的加密算法或协议。 加密算法 (Cryptographic algorithms) 是用于对数据进行混淆以防止未经授权的实体进行观察或干预的方法。不安全的加密 (Insecure cryptography) 可能被利用来暴露敏感信息、以意外方式修改数据、伪造其他用户或设备的身份,或造成其他影响。生成一个安全的算法非常困难,即使是知名加密专家设计的高知名度算法也可能被破解。目前存在已知的技术可以破解或削弱各种类型的加密。因此,只有少数经过充分理解和广泛研究的算法应被大多数产品使用。使用非标准或已知不安全的算法是危险的,因为坚定的攻击者可能能够破解该算法,从而破坏受保护的数据。由于密码学 (Cryptography) 的发展非常迅速,即使某个算法曾经被认为很强,现在也可能被视为“不安全”。这可能是因为发现了新的攻击方法,或者因为计算能力的大幅提升使得该加密算法不再能提供最初认为的保护程度。出于多种原因,与软件实现相比,在硬件部署中管理这种弱点更具挑战性。首先,如果发现硬件实现的加密存在缺陷,在大多数情况下无法修复该缺陷,除非召回产品,因为硬件不像软件那样易于更换。其次,由于硬件产品预期会运行多年,攻击者的计算能力将随着时间的推移而不断增强。
常见影响 (3)
ConfidentialityRead Application Data
The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
IntegrityModify Application Data
The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
Accountability, Non-RepudiationHide Activities
If the cryptographic algorithm is used to ensure the identity of the source of the data (such as digital signatures), then a broken algorithm will compromise this scheme and the source of the data cannot be proven.
缓解措施 (5)
Architecture and DesignWhen there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 1…
Architecture and DesignEnsure that the design allows one cryptographic algorithm to be replaced with another in the next generation or version. Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. With hardware, design the product at the Intellectual Property (IP) level so that one cryptographic algorithm can be replaced with another in the next generat…
Effectiveness: Defense in Depth
Architecture and DesignCarefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature.
Implementation, Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
代码示例 (2)
These code examples use the Data Encryption Standard (DES).
EVP_des_ecb();
Bad · C
Cipher des=Cipher.getInstance("DES..."); des.initEncrypt(key2);
Bad · Java
Suppose a chip manufacturer decides to implement a hashing scheme for verifying integrity property of certain bitstream, and it chooses to implement a SHA1 hardware accelerator for to implement the scheme.
The manufacturer chooses a SHA1 hardware accelerator for to implement the scheme because it already has a working SHA1 Intellectual Property (IP) that the manufacturer had created and used earlier, so this reuse of IP saves design cost.
Bad · Other
The manufacturer could have chosen a cryptographic solution that is recommended by the wide security community (including standard-setting bodies like NIST) and is not expected to be broken (or even better, weakened) within the reasonable life expectancy of the hardware product. In this case, the architects could have used SHA-2 or SHA-3, even if it meant that such choice would cost extra.
Good · Other
CVE ID标题CVSS风险等级Published
CVE-2023-28244 Microsoft Windows Kerberos 安全漏洞 — Windows Server 2019 8.1 High2023-04-11
CVE-2023-28509 Rocket Software UniData 和 UniVerse 加密问题漏洞 — UniData 7.5 -2023-03-29
CVE-2023-22812 Western Digital SanDisk PrivateAccess 加密问题漏洞 — PrivateAccess 7.4 High2023-03-24
CVE-2023-23695 Dell EMC Secure Connect Gateway 加密问题漏洞 — Secure Connect Gateway (SCG) 5.0 Appliance - SRS 5.9 Medium2023-02-17
CVE-2022-22564 Dell EMC Unity 加密问题漏洞 — Unity 5.9 Medium2023-02-14
CVE-2022-34444 Dell PowerScale OneFS 加密问题漏洞 — PowerScale OneFS 5.9 Medium2023-02-10
CVE-2022-35720 IBM Sterling External Authentication Server 加密问题漏洞 — Sterling External Authentication Server 2.3 Low2023-02-08
CVE-2022-22462 IBM Security Verify Governance 加密问题漏洞 — Security Verify Governance 3.7 Low2023-01-25
CVE-2022-43917 IBM WebSphere Application Server 加密问题漏洞 — WebSphere Application Server 5.9 Medium2023-01-25
CVE-2023-0296 etcd 加密问题漏洞 — Red Hat OpenShift 5.3 -2023-01-17
CVE-2022-23539 jsonwebtoken 加密问题漏洞 — node-jsonwebtoken 5.9 Medium2022-12-22
CVE-2022-22461 IBM Security Verify Governance 加密问题漏洞 — Security Verify Governance, Identity Manager 5.9 Medium2022-12-22
CVE-2022-38391 IBM Spectrum Control 加密问题漏洞 — Spectrum Control 5.1 Medium2022-12-20
CVE-2022-27581 SICK RFU61x 加密问题漏洞 — SICK RFU61x Firmware 6.5 -2022-12-13
CVE-2022-46140 Siemens部分产品 加密问题漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 6.5 Medium2022-12-13
CVE-2022-46832 SICK RFU61x 加密问题漏洞 — SICK RFU62x Firmware 6.5 -2022-12-13
CVE-2022-46833 SICK RFU63x 加密问题漏洞 — SICK RFU63x Firmware 6.5 -2022-12-13
CVE-2022-46834 SICK RFU61x 加密问题漏洞 — SICK RFU65x Firmware 6.5 -2022-12-13
CVE-2022-34361 IBM Sterling Secure Proxy 加密问题漏洞 — Sterling Secure Proxy 5.9 Medium2022-12-06
CVE-2022-34320 IBM CICS TX 加密问题漏洞 — CICS TX 5.9 Medium2022-11-14
CVE-2022-34319 IBM CICS TX 加密问题漏洞 — CICS TX 5.9 Medium2022-11-14
CVE-2021-27784 HCL Technologies HCL Launch 加密问题漏洞 — HCL Launch 5.9 Medium2022-10-31
CVE-2021-3979 Red Hat Ceph Storage 授权问题漏洞 — ceph 4.0 -2022-08-25
CVE-2022-31157 LTI 1.3 Tool Library 安全特征问题漏洞 — lti-1-3-php-library 7.5 High2022-07-15
CVE-2022-34757 Schneider Electric Easergy P5 加密问题漏洞 — Easergy P5 6.7 Medium2022-07-13
CVE-2022-31230 Dell PowerScale OneFS 加密问题漏洞 — PowerScale OneFS 8.1 High2022-06-28
CVE-2022-29249 JavaEZ 加密问题漏洞 — JavaEZ 7.5 High2022-05-24
CVE-2022-29217 Python 加密问题漏洞 — pyjwt 7.4 High2022-05-24
CVE-2022-29161 XWiki 加密问题漏洞 — xwiki-platform 5.4 Medium2022-05-05
CVE-2022-22559 Dell Technologies Dell PowerScale OneFS 加密问题漏洞 — PowerScale OneFS 7.5 High2022-04-12

CWE-327(使用已被攻破或存在风险的密码学算法) 是常见的弱点类别,本平台收录该类弱点关联的 256 条 CVE 漏洞。