Small Space of Random ValuesID: 334 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The number of possible random values is smaller than needed by
the product, making it more susceptible to brute force
attacks.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_ControlOther | Bypass protection
mechanismOther | An attacker could easily guess the values used. This could lead to
unauthorized access to a system if the seed is used for authentication
and authorization. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and DesignRequirements | Libraries or Frameworks | Use products or modules that conform to FIPS 140-2 [R.334.1] to avoid
obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random
Number Generators"). | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-334 ChildOf CWE-905 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following XML example code is a deployment descriptor for a Java
web application deployed on a Sun Java Application Server. This deployment
descriptor includes a session configuration property for configuring the
session ID length. (Demonstrative Example Id DX-47)
Observed Examples
- CVE-2002-0583 : Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root.
- CVE-2002-0903 : Product uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts.
- CVE-2003-1230 : SYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN.
- CVE-2004-0230 : Complex predictability / randomness (reduced space).
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Small Space of Random Values | |
References:
- Information Technology Laboratory, National Institute of
Standards and Technology .SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC
MODULES. 2001-05-25.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 20: Weak Random Numbers." Page 299'. Published on 2010.