CWE-336 PRNG中使用相同种子
Same Seed in Pseudo-Random Number Generator (PRNG)
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
扩展描述
If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 335 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 335 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Other', 'Access Control'] | ['Other', 'Bypass Protection Mechanism'] |
可能的缓解方案
Architecture and Design
策略:
Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.
MIT-2 ['Architecture and Design', 'Requirements']
策略: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
示例代码
例
The following code uses a statistical PRNG to generate account IDs.
bad Java
public int generateAccountID() {
return random.nextInt();
Because the program uses the same seed value for every invocation of the PRNG, its values are predictable, making the system vulnerable to attack.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Same Seed in PRNG | ||
| The CERT Oracle Secure Coding Standard for Java (2011) | MSC02-J | Generate strong random numbers |