Description
The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-330
CWE-330
Consequences
Access Control, Other: Bypass Protection Mechanism, Other
If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
Potential Mitigations
CVE References
- CVE-2019-11495
- server uses erlang:now() to seed the PRNG, which
results in a small search space for potential random
seeds
- CVE-2018-12520
- Product’s PRNG is not seeded for the generation of session IDs
- CVE-2016-10180
- Router’s PIN generation is based on rand(time(0)) seeding.
