The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.
By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
CVE: CVE-2020-1472 — KEV
ZeroLogon vulnerability - use of a static IV of all zeroes in AES-CFB8 mode
CVE: CVE-2011-3389
BEAST attack in SSL 3.0 / TLS 1.0. In CBC mode, chained initialization vectors are non-random, allowing decryption of HTTPS traffic using a chosen plaintext attack.
CVE: CVE-2001-0161
wireless router does not use 6 of the 24 bits for WEP encryption, making it easier for attackers to decrypt traffic
CVE: CVE-2001-0160
WEP card generates predictable IV values, making it easier for attackers to decrypt traffic
CVE: CVE-2017-3225
device bootloader uses a zero initialization vector during AES-CBC
CVE: CVE-2016-6485
crypto framework uses PHP rand function - which is not cryptographically secure - for an initialization vector
CVE: CVE-2014-5386
encryption routine does not seed the random number generator, causing the same initialization vector to be generated repeatedly
CVE: CVE-2020-5408
encryption functionality in an authentication framework uses a fixed null IV with CBC mode, allowing attackers to decrypt traffic in applications that use this functionality
CVE: CVE-2017-17704
messages for a door-unlocking product use a fixed IV in CBC mode, which is the same after each restart
CVE: CVE-2017-11133
application uses AES in CBC mode, but the pseudo-random secret and IV are generated using math.random, which is not cryptographically strong.
CVE: CVE-2007-3528
Blowfish-CBC implementation constructs an IV where each byte is calculated modulo 8 instead of modulo 256, resulting in less than 12 bits for the effective IV length, and less than 4096 possible IV values.
N/A
| Phase | Note |
|---|---|
| Implementation | N/A |
Intro: In the following examples, CBC mode is used when encrypting data:
Body: In both of these examples, the initialization vector (IV) is always a block of zeros. This makes the resulting cipher text much more predictable and susceptible to a dictionary attack.
EVP_CIPHER_CTX ctx; char key[EVP_MAX_KEY_LENGTH]; char iv[EVP_MAX_IV_LENGTH]; RAND_bytes(key, b); memset(iv,0,EVP_MAX_IV_LENGTH); EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv);Intro: The Wired Equivalent Privacy (WEP) protocol used in the 802.11 wireless standard only supported 40-bit keys, and the IVs were only 24 bits, increasing the chances that the same IV would be reused for multiple messages. The IV was included in plaintext as part of the packet, making it directly observable to attackers. Only 5000 messages are needed before a collision occurs due to the "birthday paradox" [REF-1176]. Some implementations would reuse the same IV for each packet. This IV reuse made it much easier for attackers to recover plaintext from two packets with the same IV, using well-understood attacks, especially if the plaintext was known for one of the packets [REF-1175].