CWE-341 从可观察状态的可预测
Predictable from Observable State
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Other | Varies by Context | This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing sensitive information, then an attacker might gain access to the system and may be able to gain access to the information in the file. |
可能的缓解方案
Implementation
策略:
Increase the entropy used to seed a PRNG.
MIT-2 ['Architecture and Design', 'Requirements']
策略: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
MIT-50 Implementation
策略:
Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.
示例代码
例
This code generates a unique random identifier for a user's session.
bad PHP
return rand();
Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.
This example also exhibits a Small Seed Space (CWE-339).
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2002-0389 | Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389 |
| CVE-2001-1141 | PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1141 |
| CVE-2000-0335 | DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0335 |
| CVE-2005-1636 | MFV. predictable filename and insecure permissions allows file modification to execute SQL queries. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1636 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Predictable from Observable State |