cwe.mitre.org
Open in
urlscan Pro
192.52.194.135
Public Scan
URL:
https://cwe.mitre.org/data/definitions/331.html
Submission: On June 01 via api from US — Scanned from DE
Submission: On June 01 via api from US — Scanned from DE
Form analysis
1 forms found in the DOM/cgi-bin/jumpmenu.cgi
<form action="/cgi-bin/jumpmenu.cgi" align="right" style="padding:0px; margin:0px"> ID <label for="id" style="padding-right:5px">Lookup:</label>
<input id="id" name="id" type="text" style="width:50px; font-size:80%" maxlength="10">
<input value="Go" style="padding: 0px; font-size:80%" type="submit">
</form>
Text Content
COMMON WEAKNESS ENUMERATION A Community-Developed List of Software & Hardware Weakness Types Home > CWE List > CWE- Individual Dictionary Definition (4.7) ID Lookup: -------------------------------------------------------------------------------- * Home * About Overview Board Board Meeting Minutes History Documents FAQs Glossary * CWE List Latest Version Downloads Reports Visualizations Archive * Scoring Methodologies Prioritizing Weaknesses CWSS CWRAF Top 25 Top Hardware * Mapping Guidance CVE → CWE Mapping Guidance CVE → CWE Mapping Quick Tips CVE → CWE Mapping Examples Common Terms Cheatsheet * Community Community Members Working Groups & Special Interest Groups Compatibility Discussion List Discussion Archives Content Suggestions * News Current News Twitter LinkedIn YouTube Podcast Medium News Archive * Search CWE Glossary Definition CWE-331: INSUFFICIENT ENTROPY Weakness ID: 331 Abstraction: Base Structure: Simple Presentation Filter: Basic Complete High Level Mapping-Friendly Description The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) NatureTypeIDNameChildOfClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.330Use of Insufficiently Random ValuesParentOfVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.332Insufficient Entropy in PRNGParentOfVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.333Improper Handling of Insufficient Entropy in TRNG This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Software Development" (CWE-699) NatureTypeIDNameMemberOfCategory - a CWE entry that contains a set of other entries that share a common characteristic.1213Random Number IssuesMemberOfCategory - a CWE entry that contains a set of other entries that share a common characteristic.310Cryptographic Issues This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003) NatureTypeIDNameChildOfClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.330Use of Insufficiently Random Values This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Architectural Concepts" (CWE-1008) NatureTypeIDNameMemberOfCategory - a CWE entry that contains a set of other entries that share a common characteristic.1013Encrypt Data Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase. PhaseNoteArchitecture and DesignImplementationREALIZATION: This weakness is caused during implementation of an architectural security tactic. Applicable Platforms This listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance. Languages Class: Language-Independent (Undetermined Prevalence) Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact. ScopeImpactLikelihoodAccess Control Other Technical Impact: Bypass Protection Mechanism; Other An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization. Demonstrative Examples Example 1 This code generates a unique random identifier for a user's session. (bad code) Example Language: PHP function generateSessionID($userID){ srand($userID); return rand(); } Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session. This example also exhibits a Small Seed Space (CWE-339). Example 2 The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase. (bad code) Example Language: Java String GenerateReceiptURL(String baseUrl) { Random ranGen = new Random(); ranGen.setSeed((new Date()).getTime()); return(baseUrl + ranGen.nextInt(400000000) + ".html"); } This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG. Observed Examples ReferenceDescription CVE-2001-0950 Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low. CVE-2008-2108 Chain: insufficient precision (CWE-1339) in random-number generator causes some zero bits to be reliably generated, reducing the amount of entropy (CWE-331) Potential Mitigations Phase: Implementation Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds. Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. NatureTypeIDNameMemberOfView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).884CWE Cross-sectionMemberOfCategory - a CWE entry that contains a set of other entries that share a common characteristic.905SFP Primary Cluster: PredictabilityMemberOfCategory - a CWE entry that contains a set of other entries that share a common characteristic.1170SEI CERT C Coding Standard - Guidelines 48. Miscellaneous (MSC)MemberOfCategory - a CWE entry that contains a set of other entries that share a common characteristic.1346OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures Notes Maintenance As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios. Taxonomy Mappings Mapped Taxonomy NameNode IDFitMapped Node Name PLOVERInsufficient Entropy WASC11Brute Force CERT C Secure CodingMSC32-CExactProperly seed pseudorandom number generators Related Attack Patterns CAPEC-IDAttack Pattern Name CAPEC-59Session Credential Falsification through Prediction References [REF-207] John Viega and Gary McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 1st Edition. Addison-Wesley. 2002. Content History SubmissionsSubmission DateSubmitterOrganization2006-07-19PLOVER ModificationsModification DateModifierOrganization2008-07-01Eric DalciCigitalupdated Time_of_Introduction2008-09-08CWE Content TeamMITREupdated Relationships, Taxonomy_Mappings2010-02-16CWE Content TeamMITREupdated Taxonomy_Mappings2011-06-01CWE Content TeamMITREupdated Common_Consequences2012-05-11CWE Content TeamMITREupdated Common_Consequences, Demonstrative_Examples, References, Relationships2012-10-30CWE Content TeamMITREupdated Potential_Mitigations2015-12-07CWE Content TeamMITREupdated Relationships2017-11-08CWE Content TeamMITREupdated Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings2019-01-03CWE Content TeamMITREupdated Relationships2019-06-20CWE Content TeamMITREupdated Relationships2020-02-24CWE Content TeamMITREupdated Relationships2021-07-20CWE Content TeamMITREupdated Maintenance_Notes, Observed_Examples2021-10-28CWE Content TeamMITREupdated Relationships More information is available — Please select a different filter. Page Last Updated: April 28, 2022 Site Map | Terms of Use | Privacy Policy | Contact Us | Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2022, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.