CWE-341Predictable from Observable State

Description

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

Common consequences

• Other→Varies by Context
  This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access t

Potential mitigations

• Implementation
  Increase the entropy used to seed a PRNG.
• Architecture and Design,Requirements
  Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
• Implementation
  Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

Related CWEs

Recent CVEs classified under this CWE