VariantDraft

CWE-336Same Seed in Pseudo-Random Number Generator (PRNG)

Category: other

Description

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.

Common consequences· 1

  • Other / Access Control — Other, Bypass Protection Mechanism

Potential mitigations· 2

  • [Architecture and Design]Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.
  • [Architecture and Design, Requirements]Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

References

  1. https://cwe.mitre.org/data/definitions/336.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Predictable Seed in Pseudo-Random Number Generator (PRNG)
CWE
Small Seed Space in PRNG
CWE
Predictable Value Range from Previous Values
CWE
Insufficient Entropy in PRNG
CWE
Use of Predictable Algorithm in Random Number Generator
CWE
Improper Handling of Insufficient Entropy in TRNG
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.