Predictable Exact Value from Previous ValuesID: 342 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
An exact value or random number can be precisely predicted by
observing previous values.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
Other | Varies by context | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Increase the entropy used to seed a PRNG. | | |
Architecture and DesignRequirements | Libraries or Frameworks | Use products or modules that conform to FIPS 140-2 [R.342.1] to avoid
obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random
Number Generators"). | | |
Implementation | | Use a PRNG that periodically re-seeds itself using input from
high-quality sources, such as hardware devices with high entropy.
However, do not re-seed too frequently, or else the entropy source might
block. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-342 ChildOf CWE-905 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2002-1463 : Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.
- CVE-1999-0074 : Listening TCP ports are sequentially allocated, allowing spoofing attacks.
- CVE-1999-0077 : Predictable TCP sequence numbers allow spoofing.
- CVE-2000-0335 : DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Predictable Exact Value from Previous
Values | |
References:
- Information Technology Laboratory, National Institute of
Standards and Technology .SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC
MODULES. 2001-05-25.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 20: Weak Random Numbers." Page 299'. Published on 2010.