Read Time:4 Minute, 15 Second

Description

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-693

 

Consequences

Confidentiality, Other: Other

When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.

Access Control, Other: Bypass Protection Mechanism, Other

If software relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Implementation

Description: 

Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.

Phase: Testing

Description: 

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C (“Approved Random Number Generators”).

Phase: Testing

Description: 

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

CVE References

  • CVE-2009-3278
    • Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.
  • CVE-2009-3238
    • Random number generator can repeatedly generate the same value.
  • CVE-2009-2367
    • Web application generates predictable session IDs, allowing session hijacking.
  • CVE-2009-2158
    • Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks.
  • CVE-2009-0255
    • Cryptographic key created with a seed based on the system time.
  • CVE-2008-5162
    • Kernel function does not have a good entropy source just after boot.
  • CVE-2008-4905
    • Blogging software uses a hard-coded salt when calculating a password hash.
  • CVE-2008-4929
    • Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files.
  • CVE-2008-3612
    • Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections.
  • CVE-2008-2433
    • Web management console generates session IDs based on the login time, making it easier to conduct session hijacking.
  • CVE-2008-0166
    • SSL library uses a weak random number generator that only generates 65,536 unique keys.
  • CVE-2008-2108
    • Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers.
  • CVE-2008-2108
    • Chain: insufficient precision (CWE-1339) in
      random-number generator causes some zero bits to be reliably
      generated, reducing the amount of entropy (CWE-331)
  • CVE-2008-2020
    • CAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums.
  • CVE-2008-0087
    • DNS client uses predictable DNS transaction IDs, allowing DNS spoofing.
  • CVE-2008-0141
    • Application generates passwords that are based on the time of day.