CWE-1392: Use of Default Credentials
Learn about CWE-1392 (Use of Default Credentials), its security impact, exploitation methods, and prevention guidelines.
What is Use of Default Credentials?
• Overview: The Use of Default Credentials vulnerability occurs when a product or system is shipped with preset login credentials such as default passwords or cryptographic keys. These are intended to ease installation and deployment but can lead to security risks if not changed.
• Exploitation Methods:
- Attackers can exploit this vulnerability by using known default credentials to gain unauthorized access.
- Common attack patterns include automated scanning to identify systems with default credentials and using credential stuffing techniques.
• Security Impact:
- Direct consequences include unauthorized access to sensitive data and systems.
- Potential cascading effects could involve lateral movement within a network and exploitation of other vulnerabilities.
- Business impact may include data breaches, loss of client trust, regulatory fines, and operational disruptions.
• Prevention Guidelines:
- Specific code-level fixes include implementing code to force credential changes upon first login.
- Security best practices involve regular audits to ensure no default credentials are in use and educating users on changing passwords.
- Recommended tools and frameworks include password management systems and automated vulnerability scanning tools to detect default credentials.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: ICS/OT, Not Technology-Specific
Vulnerable Code Example
Certainly! Below is the improved content addressing the issues identified:
// This JavaScript configuration file is used for connecting to an API service.
// Using default credentials is a security vulnerability as it exposes the system to unauthorized access.
const API_CONFIG = {
apiKey: "defaultApiKey", // Vulnerable: Default API key
secret: "defaultSecret" // Vulnerable: Default secret key
};
function connectToService(config) {
// Function that connects to an external service using the provided API configuration
console.log("Connecting with API key:", config.apiKey);
}
In this vulnerable example, the API key and secret are hardcoded with default values. This practice is insecure because it can lead to unauthorized access if the code is exposed or shared.
How to fix Use of Default Credentials?
To fix the vulnerability of using default credentials:
- Never Hardcode Secrets: Avoid embedding API keys or secrets directly in the code.
- Use Environment Variables: Store credentials in environment variables, which are accessed by the application at runtime.
- Secret Management Tools: Utilize secret management solutions that automatically manage and rotate secrets securely.
- Prompt for Credentials: Require user input or a secure method for providing credentials during setup or deployment.
Fixed Code Example
require('dotenv').config(); // Use dotenv to manage environment variables
// Securely obtain API credentials from environment variables
const API_CONFIG = {
apiKey: process.env.API_KEY, // Fixed: Retrieve the API key from an environment variable
secret: process.env.API_SECRET // Fixed: Retrieve the API secret from an environment variable
};
function connectToService(config) {
// Function that connects to an external service using the provided API configuration
console.log("Connecting with API key:", config.apiKey);
}
// Ensure environment variables are set before running the application
if (!API_CONFIG.apiKey || !API_CONFIG.secret) {
throw new Error("API credentials not found in environment variables.");
}
In the fixed example, sensitive credentials are moved from hardcoded values into environment variables. This approach aligns with security best practices by separating sensitive data from the codebase, reducing the risk of accidental exposure, and ensuring that credentials are configurable outside the source code itself. This method also facilitates easier credential rotation and management, enhancing the overall security posture of the application.