CWE-337

Predictable Seed in Pseudo-Random Number Generator (PRNG)

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

Mitigation

Phases:

Description:

  • Use non-predictable inputs for seed generation.
Mitigation ID: MIT-2

Phases: Architecture and Design, Requirements

Strategy: Libraries or Frameworks

Description:

  • Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.
Mitigation ID: MIT-50

Phase: Implementation

Description:

  • Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page