Use of Insufficiently Random Values |
Weakness ID: 330 (Weakness Class) | Status: Usable |
Description Summary
Extended Description
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.
Scope | Effect |
---|---|
Confidentiality | When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key. |
Confidentiality Availability | If software relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application. |
Integrity | When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key. |
Example 1
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.
Reference | Description |
---|---|
CVE-2009-3278 | Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. |
CVE-2009-3238 | Random number generator can repeatedly generate the same value. |
CVE-2009-2367 | Web application generates predictable session IDs, allowing session hijacking. |
CVE-2009-2158 | Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks. |
CVE-2009-0255 | Cryptographic key created with an insufficiently random seed. |
CVE-2009-0255 | Cryptographic key created with a seed based on the system time. |
CVE-2008-5162 | Kernel function does not have a good entropy source just after boot. |
CVE-2008-4905 | Blogging software uses a hard-coded salt when calculating a password hash. |
CVE-2008-4929 | Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files. |
CVE-2008-3612 | Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections. |
CVE-2008-2433 | Web management console generates session IDs based on the login time, making it easier to conduct session hijacking. |
CVE-2008-0166 | SSL library uses a weak random number generator that only generates 65,536 unique keys. |
CVE-2008-2108 | Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers. |
CVE-2008-2020 | CAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums. |
CVE-2008-0087 | DNS client uses predictable DNS transaction IDs, allowing DNS spoofing. |
CVE-2008-0141 | Application generates passwords that are based on the time of day. |
Phase: Architecture and Design Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number. |
Phase: Implementation Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices. |
Phase: Testing Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible. |
Phase: Testing Perform FIPS 140-2 tests on data to catch obvious entropy problems. |
Phase: Testing Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules. |
Phase: Testing Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic. Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time. |
Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value. |
Ordinality | Description |
---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 254 | Security Features | Development Concepts (primary)699 Seven Pernicious Kingdoms (primary)700 |
ChildOf | ![]() | 723 | OWASP Top Ten 2004 Category A2 - Broken Access Control | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | ![]() | 747 | CERT C Secure Coding Section 49 - Miscellaneous (MSC) | Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734 |
ChildOf | ![]() | 753 | 2009 Top 25 - Porous Defenses | Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750 |
ChildOf | ![]() | 808 | 2010 Top 25 - Weaknesses On the Cusp | Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800 |
ParentOf | ![]() | 329 | Not Using a Random IV with CBC Mode | Research Concepts (primary)1000 |
ParentOf | ![]() | 331 | Insufficient Entropy | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 334 | Small Space of Random Values | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 335 | PRNG Seed Error | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 338 | Use of Cryptographically Weak PRNG | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 340 | Predictability Problems | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 341 | Predictable from Observable State | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 342 | Predictable Exact Value from Previous Values | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 343 | Predictable Value Range from Previous Values | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 344 | Use of Invariant Value in Dynamically Changing Context | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | ![]() | 804 | Guessable CAPTCHA | Development Concepts699 Research Concepts1000 |
MemberOf | ![]() | 1000 | Research Concepts | Research Concepts (primary)1000 |
This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Randomness and Predictability | ||
7 Pernicious Kingdoms | Insecure Randomness | ||
OWASP Top Ten 2004 | A2 | CWE More Specific | Broken Access Control |
CERT C Secure Coding | MSC30-C | Do not use the rand() function for generating pseudorandom numbers | |
WASC | 11 | Brute Force | |
WASC | 18 | Credential/Session Prediction |
J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002. |
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 8, "Using Poor Random Numbers" Page 259. 2nd Edition. Microsoft. 2002. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Background Details, Relationships, Other Notes, Relationship Notes, Taxonomy Mappings, Weakness Ordinalities | ||||
2008-11-24 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-01-12 | CWE Content Team | MITRE | Internal | |
updated Description, Likelihood of Exploit, Other Notes, Potential Mitigations, Relationships | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples, Related Attack Patterns | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Common Consequences, Description, Observed Examples, Potential Mitigations, Time of Introduction | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Randomness and Predictability | |||