logo

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Draft Base
Structure: Simple
Description

This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is used, but its initial seed value is not handled securely or predictably, compromising the randomness of its output.

Extended Description

PRNGs are not truly random; they are deterministic algorithms that produce a sequence of numbers based on an initial seed. If an attacker can discover or guess this seed, they can predict the entire output stream, which is catastrophic for security functions like encryption keys, session tokens, or cryptographic nonces. Therefore, the seed must be treated with the same secrecy as a cryptographic key and should be generated from a robust, unpredictable source. Secure seed management involves two critical practices. First, protect the seed itself as sensitive material—never hard-code it, log it, or transmit it insecurely. Second, source the seed from a cryptographically secure random number generator (CSPRNG) provided by the operating system or trusted library to ensure sufficient entropy. Avoid using predictable values like the current time, process IDs, or static strings, as these drastically reduce the number of possible seeds an attacker would need to guess.
Common Consequences 1
Scope: Access ControlOther

Impact: Bypass Protection MechanismOther

If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
Demonstrative Examples 3

ID : DX-177

The following code uses a statistical PRNG to generate account IDs.

Code Example:

Bad
Java
java
Because the program uses the same seed value for every invocation of the PRNG, its values are predictable, making the system vulnerable to attack.

ID : DX-102

Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number:

Code Example:

Bad
Java
java

Code Example:

Bad
C
c
An attacker can easily predict the seed used by these PRNGs, and so also predict the stream of random numbers generated. Note these examples also exhibit Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (Use of Cryptographically Weak PRNG).

ID : DX-178

This code grabs some random bytes and uses them for a seed in a PRNG, in order to generate a new cryptographic key.

Code Example:

Bad
Python


getting 2 bytes of randomness for the seeding the PRNG *


python
Since only 2 bytes are used as a seed, an attacker will only need to guess 2^16 (65,536) values before being able to replicate the state of the PRNG.
  
Observed Examples 4
CVE-2020-7010Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time.
CVE-2019-11495server uses erlang:now() to seed the PRNG, which results in a small search space for potential random seeds
CVE-2018-12520Product's PRNG is not seeded for the generation of session IDs
CVE-2016-10180Router's PIN generation is based on rand(time(0)) seeding.
  
References 1
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Use of Insufficiently Random Values (CWE-330) 
  ChildOf:
 Use of Insufficiently Random Values (CWE-330) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  
Notes 
MaintenanceAs of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.