Live Active security incident? Get immediate response
CWE Reference

CWE-1279: Cryptographic Operations are run Before Supporting Units are Ready

Official CWE-1279 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.

Release 4.20weaknessIncomplete
Search CWE CWE Dictionary

Glexia's Take

CWE-1279: Cryptographic Operations are run Before Supporting Units are Ready

Cryptographic Operations are run Before Supporting Units are Ready represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Access Control,Confidentiality,Integrity,Availability,Accountability,Authentication,Authorization,Non-Repudiation: Varies by Context

Developer Pattern

CWE-1279 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Confidence

high confidence from CWE-1279, 4.20.

Official CWE Definition

CWE-1279: Cryptographic Operations are run Before Supporting Units are Ready

Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.

Many cryptographic hardware units depend upon other hardware units to supply information to them to produce a securely encrypted result. For example, a cryptographic unit that depends on an external random-number-generator (RNG) unit for entropy must wait until the RNG unit is producing random numbers. If a cryptographic unit retrieves a private encryption key from a fuse unit, the fuse unit must be up and running before a key may be supplied.

Type
weakness
Abstraction
Base
Status
Incomplete
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following pseudocode illustrates the weak encryption resulting from the use of a pseudo-random-number generator output. In the example above, first a check of RNG ready is performed. If the check fails, the RNG is ignored and a hard coded value is used instead. The hard coded value severely weakens the encrypted output.

Remediation

  • Architecture and Design: Best practices should be used to design cryptographic systems.
  • Implementation: Continuously ensuring that cryptographic inputs are supplying valid information is necessary to ensure that the encrypted output is secure.

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.