CWE-334: Small Space of Random Values

Description

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

Extended Description

N/A

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-2002-0583

Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root.
CVE: CVE-2002-0903

Product uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts.
CVE: CVE-2003-1230

SYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN.
CVE: CVE-2004-0230

Complex predictability / randomness (reduced space).

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

Common Consequences

Impact: Bypass Protection Mechanism, Other — Notes: An attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.

Potential Mitigations

Architecture and Design: Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators"). (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.

Body: This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session.

<sun-web-app> ... <session-config> <session-properties> <property name="idLengthBytes" value="8"> <description>The number of bytes in this web module's session ID.</description> </property> </session-properties> </session-config> ... </sun-web-app>

Notes

Maintenance: As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.

← Back to CWE list