CWE-340: Generation of Predictable Numbers or Identifiers

Export to Word

Description

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2022-29330

Product for administering PBX systems uses predictable identifiers and timestamps for filenames (CWE-340) which allows attackers to access files via direct request (CWE-425).
CVE: CVE-2001-1141

PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.
CVE: CVE-1999-0074

Listening TCP ports are sequentially allocated, allowing spoofing attacks.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	N/A

Common Consequences

Impact: Varies by Context — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None listed.

Demonstrative Examples

Intro: This code generates a unique random identifier for a user's session.

Body: Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

function generateSessionID($userID){ srand($userID); return rand(); }

Notes

Maintenance: As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.

← Back to CWE list