1. Home
  2. CWE Database
  3. CWE-339
Variant · Low-Medium

CWE-339: Small Seed Space in PRNG

A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.

CWE-339 · Variant Level ·1 CVEs ·2 Mitigations

Description

A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.

PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying every possibility to see which seed matches the observed output, then the attacker will know the output of any subsequent calls to the PRNG. A small seed space implies that the attacker will have far fewer possible values to try to exhaust all possibilities.

Potential Impact

Other

Varies by Context

Demonstrative Examples

This code grabs some random bytes and uses them for a seed in a PRNG, in order to generate a new cryptographic key.
Bad
# getting 2 bytes of randomness for the seeding the PRNG 
				 seed = os.urandom(2)
				 random.seed(a=seed)
				 key = random.getrandbits(128)
Since only 2 bytes are used as a seed, an attacker will only need to guess 2^16 (65,536) values before being able to replicate the state of the PRNG.

Mitigations & Prevention

Architecture and Design

Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.

Architecture and DesignRequirements

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

Real-World CVE Examples

CVE IDDescription
CVE-2019-10908product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed.

CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

CWE-341: Predictable from Observable State

A number or object is predictable based on observations that the attacker can make about the state of the system or netw...

Taxonomy Mappings

  • PLOVER: — Small Seed Space in PRNG

Frequently Asked Questions

What is CWE-339?

CWE-339 (Small Seed Space in PRNG) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.

How can CWE-339 be exploited?

Attackers can exploit CWE-339 (Small Seed Space in PRNG) to varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-339?

Key mitigations include: Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be gue

What is the severity of CWE-339?

CWE-339 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.