CWE-338 Detail

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Medium
Draft
2006-07-19
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

CWE Description

When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks.

Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.

General Informations

Modes Of Introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
Access ControlBypass Protection Mechanism

Note: If a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality.

Observed Examples

References Description

CVE-2021-3692

PHP framework uses mt_rand() function (Marsenne Twister) when generating tokens

CVE-2009-3278

Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.

CVE-2009-3238

Random number generator can repeatedly generate the same value.

CVE-2009-2367

Web application generates predictable session IDs, allowing session hijacking.

CVE-2008-0166

SSL library uses a weak random number generator that only generates 65,536 unique keys.

Potential Mitigations

Phases : Implementation
Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.

References

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

Submission

Name Organization Date Date release Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Common_Consequences, Observed_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2014-06-23 +00:00 updated Applicable_Platforms, Description, Name, Other_Notes
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Description, Modes_of_Introduction, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2021-07-20 +00:00 updated Maintenance_Notes
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples