CWE-328 Base Draft

Use of Weak Hash

This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input…

Definition

What is CWE-328?

This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input that creates the same hash, or discover collisions where two inputs produce identical hash values.
A secure cryptographic hash function must be a one-way, deterministic process that reliably produces a unique fixed-length output (digest) from any input. For security, it must prevent three key attacks: recovering the original input from the hash (preimage attack), finding a different input that matches a given hash (second preimage attack), and generating two arbitrary inputs that hash to the same value (birthday attack). A 'weak' hash fails to adequately resist these attacks, often because the math behind it allows methods significantly faster than simple brute-force guessing. Weakness can stem from the algorithm itself (like MD5 or SHA-1, which are now considered broken for many uses) or from improper application. For example, using a cryptographically sound hash without a unique salt for password storage can enable pre-computed rainbow table attacks, effectively breaking the security the hash was meant to provide. The definition of a 'feasible' attack depends on context, but generally includes any method more efficient than brute force.
Real-world impact

Real-world CVEs caused by CWE-328

  • CVE-2022-30320

    Programmable Logic Controller (PLC) uses a protocol with a cryptographically insecure hashing algorithm for passwords.

  • CVE-2005-4900

    SHA-1 algorithm is not collision-resistant.

  • CVE-2020-25685

    DNS product uses a weak hash (CRC32 or SHA-1) of the query name, allowing attacker to forge responses by computing domain names with the same hash.

  • CVE-2012-6707

    blogging product uses MD5-based algorithm for passwords.

  • CVE-2019-14855

    forging of certificate signatures using SHA-1 collisions.

  • CVE-2017-15999

    mobile app for backup sends SHA-1 hash of password in cleartext.

  • CVE-2006-4068

    Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.

How attackers exploit it

Step-by-step attacker path

  1. 1

    In both of these examples, a user is logged in if their given password matches a stored password:

  2. 2

    This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).

  3. 3

    In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

  4. 4

    At least one OT product used weak hashes.

  5. 5

    The example code below is taken from the JTAG access control mechanism of the Hack@DAC'21 buggy OpenPiton SoC [REF-1360]. Access to JTAG allows users to access sensitive information in the system. Hence, access to JTAG is controlled using cryptographic authentication of the users. In this example (see the vulnerable code source), the password checker uses HMAC-SHA256 for authentication. It takes a 512-bit secret message from the user, hashes it using HMAC, and compares its output with the expected output to determine the authenticity of the user.

Vulnerable code example

Vulnerable C

In both of these examples, a user is logged in if their given password matches a stored password:

Vulnerable C 
unsigned char *check_passwd(char *plaintext) {
  	ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... );
```
//Login if hash matches stored hash* 
  	if (equal(ctext, secret_password())) {
  	```
  		login_user();
  	}
  }
Secure code example

Secure Verilog

To mitigate, remove the zero padding and use all 512 bits of the secret message for HMAC authentication [REF-1361].

Secure Verilog 
...

 **logic [512-1:0] data_d,**  data_q
 logic [512-1:0] pass_data;
 ...

```
   Write: begin
  	 ...
  		 if (pass_mode) begin
```
pass_data = data_d;** 
  			 state_d = PassChk;
  			 pass_mode = 1'b0;
  			 ...
  		 end
   ...
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-328

  • Architecture and Design Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.
Detection signals

How to detect CWE-328

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-328 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-328?

This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input that creates the same hash, or discover collisions where two inputs produce identical hash values.

How serious is CWE-328?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-328?

MITRE lists the following affected platforms: ICS/OT.

How can I prevent CWE-328?

Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally,…

How does Plexicus detect and fix CWE-328?

Plexicus's SAST engine matches the data-flow signature for CWE-328 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-328?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/328.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-328

CWE-327 Parent

Use of a Broken or Risky Cryptographic Algorithm

The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security…

CWE-1240 Sibling

Use of a Cryptographic Primitive with a Risky Implementation

This weakness occurs when a product uses a custom, unverified, or non-compliant implementation of a cryptographic algorithm instead of a…

CWE-780 Sibling

Use of RSA Algorithm without OAEP

This vulnerability occurs when an application implements RSA encryption but fails to use Optimal Asymmetric Encryption Padding (OAEP),…

CWE-916 Sibling

Use of Password Hash With Insufficient Computational Effort

This vulnerability occurs when a system protects passwords by hashing them, but uses a hashing algorithm that is too fast or…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.