CWE-334: Small Space of Random Values
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.
常见后果
影响范围: Access Control Other
技术影响: Bypass Protection Mechanism Other
说明: An attacker could easily guess the values used. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
潜在缓解措施
阶段: Architecture and Design Requirements
策略: Libraries or Frameworks
描述: Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
观察示例
参考: CVE-2002-0583
Product uses 5 alphanumeric characters for filenames of expense claim reports, stored under web root.
参考: CVE-2002-0903
Product uses small number of random numbers for a code to approve an action, and also uses predictable new user IDs, allowing attackers to hijack new accounts.
参考: CVE-2003-1230
SYN cookies implementation only uses 32-bit keys, making it easier to brute force ISN.
参考: CVE-2004-0230
Complex predictability / randomness (reduced space).
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Small Space of Random Values | - |