CWE WEAKNESSES  /  CWE-311

CWE-311

Missing Encryption of Sensitive Data

What it is

The product does not encrypt sensitive or critical information before storage or transmission.

Impact

Mitigations

• [Requirements] Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
• [Architecture and Design]Ensure that encryption is properly integrated into the system design, including but not necessarily limited to:- Encryption that is needed to store or transmit private data of the users of the system- Encryption that is needed to protect the system itself from unauthorized disclosure or tamperingIdentify the separate needs and contexts for encryption:- One-way (i.e., only the user
• [Architecture and Design]When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis.For example, US government systems require FI
• [Architecture and Design]Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separ
• [Implementation, Architecture and Design] When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
• [Implementation] Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Real-world CVE examples

• CVE-2022-26390 — wireless battery product stores credentials and Personal Health Information (PHI) without encryption
• CVE-2009-2272 — password and username stored in cleartext in a cookie
• CVE-2009-1466 — password stored in cleartext in a file with insecure permissions
• CVE-2009-0152 — chat program disables SSL in some circumstances even when the user says to use SSL.
• CVE-2009-1603 — Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
• CVE-2009-0964 — storage of unencrypted passwords in a database
• CVE-2008-6157 — storage of unencrypted passwords in a database
• CVE-2008-6828 — product stores a password in cleartext in memory
• CVE-2008-1567 — storage of a secret key in cleartext in a temporary file
• CVE-2008-0174 — SCADA product uses HTTP Basic Authentication, which is not encrypted
• CVE-2007-5778 — login credentials stored unencrypted in a registry key
• CVE-2002-1949 — Passwords transmitted in cleartext.

Related weaknesses

Source: MITRE CWE. View on cwe.mitre.org →