CWE-341 从可观察状态的可预测

Predictable from Observable State

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other Varies by Context This weakness could be exploited by an attacker in a number ways depending on the context. If a predictable number is used to generate IDs or keys that are used within protection mechanisms, then an attacker could gain unauthorized access to the system. If predictable filenames are used for storing sensitive information, then an attacker might gain access to the system and may be able to gain access to the information in the file.

可能的缓解方案

Implementation

策略:

Increase the entropy used to seed a PRNG.

MIT-2 ['Architecture and Design', 'Requirements']

策略: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

MIT-50 Implementation

策略:

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

示例代码

This code generates a unique random identifier for a user's session.

bad PHP

function generateSessionID($userID){
srand($userID);
return rand();
}

Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

This example also exhibits a Small Seed Space (CWE-339).

分析过的案例

标识 说明 链接
CVE-2002-0389 Mail server stores private mail messages with predictable filenames in a world-executable directory, which allows local users to read private mailing list archives. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389
CVE-2001-1141 PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1141
CVE-2000-0335 DNS resolver library uses predictable IDs, which allows a local attacker to spoof DNS query results. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0335
CVE-2005-1636 MFV. predictable filename and insecure permissions allows file modification to execute SQL queries. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1636

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Predictable from Observable State

引用