Description

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design
• Implementation

Common Consequences

Detection Methods
None

Potential Mitigations

Relationships

Demonstrative Examples   (Details)

1. The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length. (Demonstrative Example Id DX-47)

Observed Examples

1. CVE-2002-0583 : Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root.
2. CVE-2002-0903 : Product uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts.
3. CVE-2003-1230 : SYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN.
4. CVE-2004-0230 : Complex predictability / randomness (reduced space).

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

References:

1. Information Technology Laboratory, National Institute of Standards and Technology .SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES. 2001-05-25.
2. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 20: Weak Random Numbers." Page 299'. Published on 2010.