CWE-343 – Predictable Value Range from Previous Values

Read Time:1 Minute, 13 Second

Description

The software’s random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.

The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-340

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase:

Description: 

Increase the entropy used to seed a PRNG.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (“Approved Random Number Generators”).

Phase: Implementation

Description: 

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

CVE References

CWE-342 – Predictable Exact Value from Previous Values

Read Time:52 Second

Description

An exact value or random number can be precisely predicted by observing previous values.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-340

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase:

Description: 

Increase the entropy used to seed a PRNG.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (“Approved Random Number Generators”).

Phase: Implementation

Description: 

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

CVE References

  • CVE-2002-1463
    • Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.
  • CVE-1999-0074
    • Listening TCP ports are sequentially allocated, allowing spoofing attacks.
  • CVE-2000-0335
    • DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results.

CWE-341 – Predictable from Observable State

Read Time:1 Minute, 30 Second

Description

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-340

 

Consequences

Other: Varies by Context

This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing sensitive information, then an attacker might gain access to the system and may be able to gain access to the information in the file.

 

Potential Mitigations

Phase: Implementation

Description: 

Increase the entropy used to seed a PRNG.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (“Approved Random Number Generators”).

Phase: Implementation

Description: 

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

CVE References

  • CVE-2002-0389
    • Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives.
  • CVE-2001-1141
    • PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
  • CVE-2000-0335
    • DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results.
  • CVE-2005-1636
    • MFV. predictable filename and insecure permissions allows file modification to execute SQL queries.

CWE-34 – Path Traversal: ‘….//’

Read Time:45 Second

Description

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ‘….//’ (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-23

 

Consequences

Confidentiality, Integrity: Read Files or Directories, Modify Files or Directories

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2004-1670
    • Mail server allows remote attackers to create arbitrary directories via a “..” or rename arbitrary files via a “….//” in user supplied parameters.

CWE-339 – Small Seed Space in PRNG

Read Time:1 Minute, 11 Second

Description

A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.

PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying every possibility to see which seed matches the observed output, then the attacker will know the output of any subsequent calls to the PRNG. A small seed space implies that the attacker will have far fewer possible values to try to exhaust all possibilities.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-335
CWE-341

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a “random enough” number.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

CVE References

  • CVE-2019-10908
    • product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed.

CWE-338 – Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Read Time:57 Second

Description

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG’s algorithm is not cryptographically strong.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-330
CWE-330

 

Consequences

Access Control: Bypass Protection Mechanism

If a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality.

 

Potential Mitigations

Phase: Implementation

Description: 

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

CVE References

  • CVE-2009-3278
    • Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.
  • CVE-2009-3238
    • Random number generator can repeatedly generate the same value.
  • CVE-2009-2367
    • Web application generates predictable session IDs, allowing session hijacking.
  • CVE-2008-0166
    • SSL library uses a weak random number generator that only generates 65,536 unique keys.

CWE-337 – Predictable Seed in Pseudo-Random Number Generator (PRNG)

Read Time:1 Minute, 11 Second

Description

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numbers will be generated by the PRNG.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-335

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase:

Description: 

Use non-predictable inputs for seed generation.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

Phase: Implementation

Description: 

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

CVE References

  • CVE-2019-11495
    • server uses erlang:now() to seed the PRNG, which
      results in a small search space for potential random
      seeds
  • CVE-2008-0166
    • The removal of a couple lines of code caused Debian’s OpenSSL Package to only use the current process ID for seeding a PRNG
  • CVE-2016-10180
    • Router’s PIN generation is based on rand(time(0)) seeding.
  • CVE-2018-9057
    • cloud provider product uses a non-cryptographically secure PRNG and seeds it with the current time

CWE-336 – Same Seed in Pseudo-Random Number Generator (PRNG)

Read Time:48 Second

Description

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-335

 

Consequences

Other, Access Control: Other, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

CVE References

CWE-335 – Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Read Time:44 Second

Description

The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-330
CWE-330

 

Consequences

Access Control, Other: Bypass Protection Mechanism, Other

If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.

 

Potential Mitigations

CVE References

  • CVE-2019-11495
    • server uses erlang:now() to seed the PRNG, which
      results in a small search space for potential random
      seeds
  • CVE-2018-12520
    • Product’s PRNG is not seeded for the generation of session IDs
  • CVE-2016-10180
    • Router’s PIN generation is based on rand(time(0)) seeding.