CWE-331 Détail

CWE-331

Nom

Insufficient Entropy

Statut

Draft

Publié

2006-07-19
00h00 +00:00

Modifié

2023-06-29
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Informations générales

Modes d'introduction

Architecture and Design
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Conséquences courantes

Portée	Impact	Probabilité
Access Control Other	Bypass Protection Mechanism, Other Note: An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization.

Exemples observés

Références	Description
CVE-2001-0950	Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.
CVE-2008-2108	Chain: insufficient precision (CWE-1339) in random-number generator causes some zero bits to be reliably generated, reducing the amount of entropy (CWE-331)

Mesures d’atténuation potentielles

Phases : Implementation
Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Modèles d'attaque associés

CAPEC-ID	Nom du modèle d'attaque
CAPEC-59	Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

NotesNotes

As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.

Références

REF-207

Building Secure Software: How to Avoid Security Problems the Right Way
John Viega, Gary McGraw.

Soumission

Nom	Organisation	Date	Date de publication	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Nom	Organisation	Date	Commentaire
Eric Dalci	Cigital	2008-07-01 +00:00	updated Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2010-02-16 +00:00	updated Taxonomy_Mappings
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2012-05-11 +00:00	updated Common_Consequences, Demonstrative_Examples, References, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2019-01-03 +00:00	updated Relationships
CWE Content Team	MITRE	2019-06-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2021-07-20 +00:00	updated Maintenance_Notes, Observed_Examples
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes

Détail du CWE-331