CWE-334

Base Abstraction Level
Pillar — Highest-level weakness category
Class — Abstract, language-independent
Base — Specific enough to detect
Variant — Tied to specific technology
Compound — Requires multiple weaknesses
Draft MITRE CWE Status
Stable — Fully reviewed and complete
Draft — Under development, may change
Incomplete — Partially defined by MITRE
Deprecated — No longer recommended
Obsolete — Replaced by another CWE
Small Space of Random Values

Description

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

Consequences

Access Control, Other — Bypass Protection Mechanism, Other

An attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.

Mitigations

Phase: Architecture and Design, Requirements

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").