Read Time:44 Second

Description

The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-330
CWE-330

 

Consequences

Access Control, Other: Bypass Protection Mechanism, Other

If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.

 

Potential Mitigations

CVE References

  • CVE-2019-11495
    • server uses erlang:now() to seed the PRNG, which
      results in a small search space for potential random
      seeds
  • CVE-2018-12520
    • Product’s PRNG is not seeded for the generation of session IDs
  • CVE-2016-10180
    • Router’s PIN generation is based on rand(time(0)) seeding.