Read Time:52 Second

Description

An exact value or random number can be precisely predicted by observing previous values.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-340

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase:

Description: 

Increase the entropy used to seed a PRNG.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (“Approved Random Number Generators”).

Phase: Implementation

Description: 

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

CVE References

  • CVE-2002-1463
    • Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.
  • CVE-1999-0074
    • Listening TCP ports are sequentially allocated, allowing spoofing attacks.
  • CVE-2000-0335
    • DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results.