CWE-334: Small Space of Random Values
Small Space of Random Values
Weakness ID: 334 (Weakness Base) Status: Draft
Description
Description Summary
The number of possible random values is smaller than needed by
the product, making it more susceptible to brute force
attacks.
Time of Introduction
Architecture and Design
Implementation
Observed Examples
Reference Description CVE-2002-0583 Product uses 5 alphanumeric characters for
filenames of expense claim reports, stored under web
root. CVE-2002-0903 Product uses small number of random numbers for a
code to approve an action, and also uses predictable new user IDs, allowing
attackers to hijack new accounts. CVE-2003-1230 SYN cookies implementation only uses 32-bit keys,
making it easier to brute force ISN. CVE-2004-0230 Complex predictability / randomness (reduced
space).
Potential Mitigations
ID Phase Description 2 Implementation
Perform FIPS 140-2 tests on data to catch obvious entropy
problems.
Implementation
Consider a PRNG which re-seeds itself, as needed from a high quality
pseudo-random output, like hardware devices.
Relationships
Taxonomy Mappings
Mapped Taxonomy Name Node ID Fit Mapped Node Name PLOVER Small Space of Random Values
Content History
Submissions Submission Date Submitter Organization Source PLOVER Externally Mined Modifications Modification Date Modifier Organization Source 2008-07-01 Eric Dalci Cigital External updated Time of Introduction 2008-09-08 CWE Content Team MITRE Internal updated Relationships,
Taxonomy Mappings 2009-03-10 CWE Content Team MITRE Internal updated Potential Mitigations
Description
