CWE-330: Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.
Scope
Impact
If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the resource to the intended user. For example, a product might maintain session information in a file whose name is based on a username. An attacker could pre-create this file for a victim user, then set the permissions so that the application cannot generate the session for the victim, preventing the victim from using the application.
Scope
Impact
When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.
Mitigation Strategies
Phase
Description
Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Phase
Description
Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Phase
Description
Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.
Phase
Description
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Detection Methods
Method
Manual Static Analysis - Source CodeDescription
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Focused Manual Spotcheck - Focused manual analysis of source Manual Source Code Review (not inspections)
Effectiveness
HighMethod
Architecture or Design ReviewDescription
According to SOAR [REF-1479], the following detection techniques may be useful: Highly cost effective: Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Effectiveness
HighCode Examples & CVEs
Demonstrative Examples
This code attempts to generate a unique random identifier for a user's session.
Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.
Observed CVE Examples (18)
PHP framework uses mt_rand() function (Marsenne Twister) when generating tokens
View DetailsCloud application on Kubernetes generates passwords using a weak random number generator based on deployment time.
View DetailsCrypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks.
View DetailsWeb application generates predictable session IDs, allowing session hijacking.
View DetailsPassword recovery utility generates a relatively small number of random passwords, simplifying brute force attacks.
View DetailsBulletin board application uses insufficiently random names for uploaded files, allowing other users to access private files.
View DetailsHandheld device uses predictable TCP sequence numbers, allowing spoofing or hijacking of TCP connections.
View DetailsWeb management console generates session IDs based on the login time, making it easier to conduct session hijacking.
View DetailsSSL library uses a weak random number generator that only generates 65,536 unique keys.
View DetailsChain: insufficient precision causes extra zero bits to be assigned, reducing entropy for an API function that generates random numbers.
View DetailsChain: insufficient precision (CWE-1339) in random-number generator causes some zero bits to be reliably generated, reducing the amount of entropy (CWE-331)
View DetailsCAPTCHA implementation does not produce enough different images, allowing bypass using a database of all possible checksums.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-330: Use of Insufficiently Random Values?+
CWE-330: Use of Insufficiently Random Values is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
What are the security consequences of Use of Insufficiently Random Values?+
If exploited, CWE-330 (Use of Insufficiently Random Values) it can compromise Confidentiality, Other and Access Control, leading to outcomes such as Other, Bypass Protection Mechanism and Gain Privileges or Assume Identity.
How do you prevent or mitigate Use of Insufficiently Random Values?+
Recommended mitigations for CWE-330 include: Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number. Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices. Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.
How is Use of Insufficiently Random Values detected?+
CWE-330 can be detected using Manual Static Analysis - Source Code and Architecture or Design Review. Combining automated tooling with manual review typically yields the best coverage.
Which programming languages are affected by Use of Insufficiently Random Values?+
CWE-330 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Use of Insufficiently Random Values?+
MITRE documents real CVEs mapped to CWE-330, including CVE-2021-3692, CVE-2020-7010, CVE-2009-3278, CVE-2009-3238 and CVE-2009-2367. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-330 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.