Same Seed in Pseudo-Random Number Generator (PRNG)
Draft Variant
Structure: Simple
Description
A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.
Common Consequences 1
Scope: OtherAccess Control
Impact: OtherBypass Protection Mechanism
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Potential Mitigations 2
Phase: Architecture and Design
Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.
Phase: Architecture and DesignRequirements
Strategy: Libraries or Frameworks
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.
Demonstrative Examples 2
ID : DX-177
The following code uses a statistical PRNG to generate account IDs.Code Example:
Bad
Java
javaBecause the program uses the same seed value for every invocation of the PRNG, its values are predictable, making the system vulnerable to attack.
ID : DX-45
This code attempts to generate a unique random identifier for a user's session.Code Example:
Bad
PHP
phpBecause the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.
If the user IDs are generated sequentially, or otherwise restricted to a narrow range of values, then this example also exhibits a Small Seed Space (Small Seed Space in PRNG).
Observed Examples 1
CVE-2022-39218SDK for JavaScript app builder for serverless code uses the same fixed seed for a PRNG, allowing cryptography bypass
References 2
FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology
25-05-2001
ID: REF-267
FIPS PUB 140-3: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology
22-03-2019
ID: REF-1192
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
Taxonomy Mapping
- PLOVER
- The CERT Oracle Secure Coding Standard for Java (2011)
Notes
MaintenanceAs of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.