1. Home
  2. CWE Database
  3. CWE-337
Variant · Low-Medium

CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

CWE-337 · Variant Level ·5 CVEs ·3 Mitigations

Description

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numbers will be generated by the PRNG.

Potential Impact

Other

Varies by Context

Demonstrative Examples

Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number:
Bad
Random random = new Random(System.currentTimeMillis());int accountID = random.nextInt();
Bad
srand(time());int randNum = rand();
An attacker can easily predict the seed used by these PRNGs, and so also predict the stream of random numbers generated. Note these examples also exhibit CWE-338 (Use of Cryptographically Weak PRNG).

Mitigations & Prevention

General

Use non-predictable inputs for seed generation.

Architecture and DesignRequirements

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

Implementation

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2020-7010Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time.
CVE-2019-11495server uses erlang:now() to seed the PRNG, which results in a small search space for potential random seeds
CVE-2008-0166The removal of a couple lines of code caused Debian's OpenSSL Package to only use the current process ID for seeding a PRNG
CVE-2016-10180Router's PIN generation is based on rand(time(0)) seeding.
CVE-2018-9057cloud provider product uses a non-cryptographically secure PRNG and seeds it with the current time

CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Taxonomy Mappings

  • PLOVER: — Predictable Seed in PRNG
  • The CERT Oracle Secure Coding Standard for Java (2011): MSC02-J — Generate strong random numbers

Frequently Asked Questions

What is CWE-337?

CWE-337 (Predictable Seed in Pseudo-Random Number Generator (PRNG)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

How can CWE-337 be exploited?

Attackers can exploit CWE-337 (Predictable Seed in Pseudo-Random Number Generator (PRNG)) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-337?

Key mitigations include: Use non-predictable inputs for seed generation.

What is the severity of CWE-337?

CWE-337 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 5 real-world CVEs.