CWE-342: Predictable Exact Value from Previous Values
Predictable Exact Value from Previous Values
Weakness ID: 342 (Weakness Base) Status: Draft
Description
Description Summary
An exact value or random number can be precisely predicted by observing previous values.
Time of Introduction
Architecture and Design
Implementation
Common Consequences
Scope Effect
Other
Technical Impact: Varies by context
Observed Examples
Reference Description
CVE-2002-1463
CVE-1999-0074 Listening TCP ports are sequentially allocated,
allowing spoofing attacks.
CVE-1999-0077 Predictable TCP sequence numbers allow
spoofing.
CVE-2000-0335 DNS resolver uses predictable IDs, allowing a
local user to spoof DNS query results.
Potential Mitigations
Increase the entropy used to seed a PRNG.
Phases: Architecture and Design; Requirements
Strategy: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [R.342.1 ] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Phase: Implementation
Consider a PRNG which re-seeds itself, as needed from a high quality
pseudo-random output, like hardware devices.
Relationships
Nature Type ID Name View(s) this relationship pertains to
ChildOf Weakness Class 330 Use of Insufficiently Random Values Development Concepts (primary) 699
Research Concepts (primary) 1000
Taxonomy Mappings
Mapped Taxonomy Name Node ID Fit Mapped Node Name
PLOVER Predictable Exact Value from Previous
Values
References
Content History
Submissions Submission Date Submitter Organization Source PLOVER Externally Mined Modifications Modification Date Modifier Organization Source 2008-07-01 Eric Dalci Cigital External updated Time_of_Introduction 2008-09-08 CWE Content Team MITRE Internal updated Relationships,
Taxonomy_Mappings 2009-03-10 CWE Content Team MITRE Internal updated Potential_Mitigations 2009-12-28 CWE Content Team MITRE Internal updated Potential_Mitigations 2010-06-21 CWE Content Team MITRE Internal updated Potential_Mitigations 2011-06-01 CWE Content Team MITRE Internal updated Common_Consequences 2011-06-27 CWE Content Team MITRE Internal updated Common_Consequences 2011-09-13 CWE Content Team MITRE Internal updated Potential_Mitigations,
References