Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-332 (PRNG中信息熵不充分) — Vulnerability Class 3

3 vulnerabilities classified as CWE-332 (PRNG中信息熵不充分). AI Chinese analysis included.

CWE-332 represents a critical weakness where a Pseudo-Random Number Generator lacks sufficient entropy, resulting in predictable output sequences that compromise system security. This flaw typically enables attackers to guess cryptographic keys, session tokens, or initialization vectors by analyzing the limited randomness source. When the underlying entropy pool is insufficient or poorly seeded, the generated numbers become deterministic rather than truly random, allowing adversaries to reconstruct internal states or brute-force sensitive values with significantly reduced computational effort. To mitigate this risk, developers must ensure their PRNGs are seeded with high-quality, unpredictable data from robust operating system entropy sources, such as hardware random number generators or kernel-provided entropy pools. Avoiding static seeds and regularly updating the entropy source during runtime are essential practices to maintain cryptographic strength and prevent exploitation of predictable generation patterns.

MITRE CWE Description
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.
Common Consequences (2)
AvailabilityDoS: Crash, Exit, or Restart
If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.
Access Control, OtherBypass Protection Mechanism, Other
If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users.
Mitigations (3)
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
ImplementationConsider a PRNG that re-seeds itself as needed from high-quality pseudo-random output, such as hardware devices.
Architecture and DesignWhen deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator that always uses strong random data -- i.e., a random number generator that attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally, something that al…
CVE IDTitleCVSSSeverityPublished
CVE-2023-20107 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 7.5 -2023-03-23
CVE-2019-1715 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 7.5 -2019-05-03
CVE-2016-9154 Desigo PX Web Modules 安全漏洞 — Desigo PX Web modules with all firmware versions < V6.00.046 8.2 -2016-12-23

Vulnerabilities classified as CWE-332 (PRNG中信息熵不充分) represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.