|
|
|
|
CWE-342: Predictable Exact Value from Previous Values | |
| | Predictable Exact Value from Previous Values |
|
| Weakness ID: 342 (Weakness Base) | | Status: Draft |
 Description
Description Summary An exact value or random number can be precisely predicted by
observing previous values.
Time of Introduction
- Architecture and Design
- Implementation
Observed Examples | Reference | Description |
|---|
| CVE-2002-1463 | |
| CVE-1999-0074 | Listening TCP ports are sequentially allocated,
allowing spoofing attacks. |
| CVE-1999-0077 | Predictable TCP sequence numbers allow
spoofing. |
| CVE-2000-0335 | DNS resolver uses predictable IDs, allowing a
local user to spoof DNS query results. |
Potential Mitigations | ID | Phase | Description |
|---|
| | Increase the entropy used to seed a PRNG. |
| 2 | Implementation | Perform FIPS 140-2 tests on data to catch obvious entropy
problems. |
| Implementation | Consider a PRNG which re-seeds itself, as needed from a high quality
pseudo-random output, like hardware devices. |
Relationships | Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|
| ChildOf |  Weakness Class | 330 | Use of Insufficiently Random Values | Development Concepts (primary)699 Research Concepts (primary)1000 |
Taxonomy Mappings | Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|
| PLOVER | | | Predictable Exact Value from Previous
Values |
Content History | Submissions |
|---|
| Submission Date | Submitter | Organization | Source |
|---|
| PLOVER | | Externally Mined | | | Modifications |
|---|
| Modification Date | Modifier | Organization | Source |
|---|
| 2008-07-01 | Eric Dalci | Cigital | External | | updated Time of Introduction | | 2008-09-08 | CWE Content Team | MITRE | Internal | | updated Relationships,
Taxonomy Mappings | | 2009-03-10 | CWE Content Team | MITRE | Internal | | updated Potential Mitigations |
|
