Predictable from Observable State| ID: 341 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
A number or object is predictable based on observations that
the attacker can make about the state of the system or network, such as time,
process ID, etc.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Other | Varies by context | This weakness could be exploited by an attacker in a number ways
depending on the context. If a predictable number is used to generate
IDs or keys that are used within protection mechanisms, then an attacker
could gain unauthorized access to the system. If predictable filenames
are used for storing sensitive information, then an attacker might gain
access to the system and may be able to gain access to the information
in the file. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Increase the entropy used to seed a PRNG. | | |
| Architecture and DesignRequirements | Libraries or Frameworks | Use products or modules that conform to FIPS 140-2 [R.341.1] to avoid
obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random
Number Generators"). | | |
| Implementation | | Use a PRNG that periodically re-seeds itself using input from
high-quality sources, such as hardware devices with high entropy.
However, do not re-seed too frequently, or else the entropy source might
block. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-341 ChildOf CWE-905 | Category | CWE-888 | |
Demonstrative Examples (Details)
- This code generates a unique random identifier for a user's
session. (Demonstrative Example Id DX-45)
Observed Examples
- CVE-2002-0389 : Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives.
- CVE-2001-1141 : PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
- CVE-2000-0335 : DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results.
- CVE-2005-1636 : MFV. predictable filename and insecure permissions allows file modification to execute SQL queries.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Predictable from Observable State | |
References:
- Information Technology Laboratory, National Institute of
Standards and Technology .SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC
MODULES. 2001-05-25.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 20: Weak Random Numbers." Page 299'. Published on 2010.
