Description
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Potential Impact
Confidentiality, Other
Other
Access Control, Other
Bypass Protection Mechanism, Other
Access Control
Bypass Protection Mechanism, Gain Privileges or Assume Identity
Demonstrative Examples
function generateSessionID($userID){srand($userID);return rand();}String GenerateReceiptURL(String baseUrl) {Random ranGen = new Random();ranGen.setSeed((new Date()).getTime());return(baseUrl + ranGen.nextInt(400000000) + ".html");}Mitigations & Prevention
Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed
Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Detection Methods
- Black Box — Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new wea
- Automated Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
- Manual Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
- Dynamic Analysis with Manual Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
- Manual Static Analysis - Source Code High — According to SOAR [REF-1479], the following detection techniques may be useful:
- Automated Static Analysis - Source Code SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2021-3692 | PHP framework uses mt_rand() function (Marsenne Twister) when generating tokens |
| CVE-2020-7010 | Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time. |
| CVE-2009-3278 | Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. |
| CVE-2009-3238 | Random number generator can repeatedly generate the same value. |
| CVE-2009-2367 | Web application generates predictable session IDs, allowing session hijacking. |
| CVE-2009-2158 | Password recovery utility generates a relatively small number of random passwords, simplifying brute force attacks. |
| CVE-2009-0255 | Cryptographic key created with a seed based on the system time. |
| CVE-2008-5162 | Kernel function does not have a good entropy source just after boot. |
| CVE-2008-4905 | Blogging software uses a hard-coded salt when calculating a password hash. |
| CVE-2008-4929 | Bulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files. |
| CVE-2008-3612 | Handheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections. |
| CVE-2008-2433 | Web management console generates session IDs based on the login time, making it easier to conduct session hijacking. |
| CVE-2008-0166 | SSL library uses a weak random number generator that only generates 65,536 unique keys. |
| CVE-2008-2108 | Chain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers. |
| CVE-2008-2108 | Chain: insufficient precision (CWE-1339) in random-number generator causes some zero bits to be reliably generated, reducing the amount of entropy (CWE-331) |
Showing 15 of 18 observed examples.
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Randomness and Predictability
- 7 Pernicious Kingdoms: — Insecure Randomness
- OWASP Top Ten 2004: A2 — Broken Access Control
- CERT C Secure Coding: CON33-C — Avoid race conditions when using library functions
- CERT C Secure Coding: MSC30-C — Do not use the rand() function for generating pseudorandom numbers
- CERT C Secure Coding: MSC32-C — Properly seed pseudorandom number generators
- WASC: 11 — Brute Force
- WASC: 18 — Credential/Session Prediction
- The CERT Oracle Secure Coding Standard for Java (2011): MSC02-J — Generate strong random numbers
Frequently Asked Questions
What is CWE-330?
CWE-330 (Use of Insufficiently Random Values) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
How can CWE-330 be exploited?
Attackers can exploit CWE-330 (Use of Insufficiently Random Values) to other. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-330?
Key mitigations include: Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a p
What is the severity of CWE-330?
CWE-330 is classified as a Class-level weakness (High abstraction). It has been observed in 18 real-world CVEs.