CWE-333

Variant Abstraction Level
Pillar — Highest-level weakness category
Class — Abstract, language-independent
Base — Specific enough to detect
Variant — Tied to specific technology
Compound — Requires multiple weaknesses
Draft MITRE CWE Status
Stable — Fully reviewed and complete
Draft — Under development, may change
Incomplete — Partially defined by MITRE
Deprecated — No longer recommended
Obsolete — Replaced by another CWE
Exploit: Low
Improper Handling of Insufficient Entropy in TRNG

Description

True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.

Consequences

Availability — DoS: Crash, Exit, or Restart

A program may crash or block if it runs out of random numbers.

Mitigations

Phase: Implementation

Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.