SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF)

Download | Alert*

CWE

Predictable Exact Value from Previous Values

Description

An exact value or random number can be precisely predicted by observing previous values.

Applicable Platforms
Language Class: All

Time Of Introduction

Common Consequences

Scope	Technical Impact	Notes
Other	Varies by context

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description
		Increase the entropy used to seed a PRNG.
Architecture and Design Requirements	Libraries or Frameworks	Use products or modules that conform to FIPS 140-2 [R.342.1] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Implementation		Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

Relationships

Related CWE	Type	View	Chain
CWE-342 ChildOf CWE-905	Category	CWE-888

Demonstrative Examples
None

Observed Examples

CVE-2002-1463 : Firewall generates easily predictable initial sequence numbers (ISN), which allows remote attackers to spoof connections.
CVE-1999-0074 : Listening TCP ports are sequentially allocated, allowing spoofing attacks.
CVE-1999-0077 : Predictable TCP sequence numbers allow spoofing.
CVE-2000-0335 : DNS resolver uses predictable IDs, allowing a local user to spoof DNS query results.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
PLOVER		Predictable Exact Value from Previous Values

References:

Information Technology Laboratory, National Institute of Standards and Technology .SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES. 2001-05-25.
Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 20: Weak Random Numbers." Page 299'. Published on 2010.