CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Description

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks. Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number:

Bad

Random random = new Random(System.currentTimeMillis());int accountID = random.nextInt();

Bad

srand(time());int randNum = rand();

The random number functions used in these examples, rand() and Random.nextInt(), are not considered cryptographically strong. An attacker may be able to predict the random numbers generated by these functions. Note that these example also exhibit CWE-337 (Predictable Seed in PRNG).

Mitigations & Prevention

Implementation

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2021-3692	PHP framework uses mt_rand() function (Marsenne Twister) when generating tokens
CVE-2009-3278	Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.
CVE-2009-3238	Random number generator can repeatedly generate the same value.
CVE-2009-2367	Web application generates predictable session IDs, allowing session hijacking.
CVE-2008-0166	SSL library uses a weak random number generator that only generates 65,536 unique keys.

Taxonomy Mappings

CLASP: — Non-cryptographic PRNG
CERT C Secure Coding: MSC30-C — Do not use the rand() function for generating pseudorandom numbers

Frequently Asked Questions

What is CWE-338?

CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

How can CWE-338 be exploited?

Attackers can exploit CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-338?

Key mitigations include: Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

What is the severity of CWE-338?

CWE-338 is classified as a Base-level weakness (Medium abstraction). It has been observed in 5 real-world CVEs.