CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-330: Use of Insufficiently Random Values

 
Use of Insufficiently Random Values
Weakness ID: 330 (Weakness Class)Status: Usable
+ Description

Description Summary

The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Extended Description

When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Confidentiality
Other

Technical Impact: Other

When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.

Access Control
Other

Technical Impact: Bypass protection mechanism; Other

If software relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.

Access Control

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.

+ Likelihood of Exploit

Medium to High

+ Detection Methods

Black Box

Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.

Attach the monitor to the process and look for library functions that indicate when randomness is being used. Run the process multiple times to see if the seed changes. Look for accesses of devices or equivalent resources that are commonly used for strong (or weak) randomness, such as /dev/urandom on Linux. Look for library or system calls that access predictable information such as process IDs and system time.

+ Demonstrative Examples

Example 1

This code generates a unique random identifier for a user's session.

(Bad Code)
Example Language: PHP 
function generateSessionID($userID){
srand($userID);
return rand();
}

Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

This example also exhibits a Small Seed Space (CWE-339).

Example 2

The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.

(Bad Code)
Example Language: Java 
String GenerateReceiptURL(String baseUrl) {
Random ranGen = new Random();
ranGen.setSeed((new Date()).getTime());
return(baseUrl + ranGen.nextInt(400000000) + ".html");
}

This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.

+ Observed Examples
ReferenceDescription
CVE-2009-3278Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.
CVE-2009-3238Random number generator can repeatedly generate the same value.
CVE-2009-2367Web application generates predictable session IDs, allowing session hijacking.
CVE-2009-2158Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks.
CVE-2009-0255Cryptographic key created with a seed based on the system time.
CVE-2008-5162Kernel function does not have a good entropy source just after boot.
CVE-2008-4905Blogging software uses a hard-coded salt when calculating a password hash.
CVE-2008-4929Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files.
CVE-2008-3612Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections.
CVE-2008-2433Web management console generates session IDs based on the login time, making it easier to conduct session hijacking.
CVE-2008-0166SSL library uses a weak random number generator that only generates 65,536 unique keys.
CVE-2008-2108Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers.
CVE-2008-2020CAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums.
CVE-2008-0087DNS client uses predictable DNS transaction IDs, allowing DNS spoofing.
CVE-2008-0141Application generates passwords that are based on the time of day.
+ Potential Mitigations

Phase: Architecture and Design

Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.

In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts.

Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.

Phase: Implementation

Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.

Phase: Testing

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Phases: Architecture and Design; Requirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [R.330.1] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

Phase: Testing

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

+ Background Details

Computers are deterministic machines, and as such are unable to produce true randomness. Pseudo-Random Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. There are two types of PRNGs: statistical and cryptographic. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and forms an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between it and a truly random value.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory723OWASP Top Ten 2004 Category A2 - Broken Access Control
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory747CERT C Secure Coding Section 49 - Miscellaneous (MSC)
Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOfCategoryCategory7532009 Top 25 - Porous Defenses
Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
ChildOfCategoryCategory8082010 Top 25 - Weaknesses On the Cusp
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800
ChildOfCategoryCategory861CERT Java Secure Coding Section 49 - Miscellaneous (MSC)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory8672011 Top 25 - Weaknesses On the Cusp
Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors (primary)900
ChildOfCategoryCategory883CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)
Weaknesses Addressed by the CERT C++ Secure Coding Standard (primary)868
ChildOfCategoryCategory905SFP Cluster: Predictability
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant329Not Using a Random IV with CBC Mode
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base331Insufficient Entropy
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base334Small Space of Random Values
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class335PRNG Seed Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base338Use of Cryptographically Weak PRNG
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class340Predictability Problems
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base341Predictable from Observable State
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base342Predictable Exact Value from Previous Values
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base343Predictable Value Range from Previous Values
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base344Use of Invariant Value in Dynamically Changing Context
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base804Guessable CAPTCHA
Development Concepts699
Research Concepts1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
+ Relationship Notes

This can be primary to many other weaknesses such as cryptographic errors, authentication errors, symlink following, information leaks, and others.

+ Functional Areas
  • Non-specific
  • Cryptography
  • Authentication
  • Session management
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERRandomness and Predictability
7 Pernicious KingdomsInsecure Randomness
OWASP Top Ten 2004A2CWE_More_SpecificBroken Access Control
CERT C Secure CodingMSC30-CDo not use the rand() function for generating pseudorandom numbers
WASC11Brute Force
WASC18Credential/Session Prediction
CERT Java Secure CodingMSC02-JGenerate strong random numbers
CERT C++ Secure CodingMSC30-CPPDo not use the rand() function for generating pseudorandom numbers
CERT C++ Secure CodingMSC32-CPPEnsure your random number generator is properly seeded
+ References
[R.330.1] [REF-1] Information Technology Laboratory, National Institute of Standards and Technology. "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES". 2001-05-25. <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>.
[R.330.2] [REF-9] John Viega and Gary McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 1st Edition. Addison-Wesley. 2002.
[R.330.3] [REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 8, "Using Poor Random Numbers" Page 259. 2nd Edition. Microsoft. 2002.
[R.330.4] [REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 20: Weak Random Numbers." Page 299. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Background_Details, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2008-11-24CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2009-01-12CWE Content TeamMITREInternal
updated Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships
2009-03-10CWE Content TeamMITREInternal
updated Potential_Mitigations
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative_Examples, Related_Attack_Patterns
2009-12-28CWE Content TeamMITREInternal
updated Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Time_of_Introduction
2010-02-16CWE Content TeamMITREInternal
updated References, Relationships, Taxonomy_Mappings
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-06-21CWE Content TeamMITREInternal
updated Detection_Factors, Potential_Mitigations
2011-03-29CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27CWE Content TeamMITREInternal
updated Relationships
2011-09-13CWE Content TeamMITREInternal
updated Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Demonstrative_Examples, Observed_Examples, References, Relationships
2014-02-18CWE Content TeamMITREInternal
updated Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Randomness and Predictability
Page Last Updated: February 18, 2014