The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG is not cryptographically strong.
Time of Introduction
Architecture and Design
Technical Impact: Bypass protection
If a PRNG is used for authentication and authorization, such as a
session ID or a seed for generating a cryptographic key, then an
attacker may be able to easily guess the ID or cryptographic key and
gain access to restricted functionality.
Likelihood of Exploit
Both of these examples use a statistical PRNG to generate a random
Random random = new Random(System.currentTimeMillis());
int accountID = random.nextInt();
Example Languages: C and C++
int randNum = rand();
The random number functions used in these examples, rand() and Random.nextInt(), are not considered cryptographically strong. An attacker may be able to predict the random numbers generated by these functions. Note that these example also exhibit CWE-337 (Predictable Seed in PRNG).
SSL library uses a weak random number generator
that only generates 65,536 unique keys.
Use functions or hardware which use a hardware-based random number
generation for all crypto. This is the recommended solution. Use
CyptGenRandom on Windows, or hw_rand() on Linux.
Often a pseudo-random number generator (PRNG) is not designed for
cryptography. Sometimes a mediocre source of randomness is sufficient or
preferable for algorithms which use random numbers. Weak generators
generally take less processing power and/or do not use the precious, finite,
entropy sources on a system.