CWE-341

Predictable from Observable State

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

Mitigation

Phase: Implementation

Description:

Increase the entropy used to seed a PRNG.

Mitigation ID: MIT-2

Phases: Architecture and Design, Requirements

Strategy: Libraries or Frameworks

Description:

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

Mitigation ID: MIT-50

Phase: Implementation

Description:

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page