CWE-336

Same Seed in Pseudo-Random Number Generator (PRNG)

Variant

Draft

Description

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.

Parent Weaknesses (ChildOf)

CWE-335: Incorrect Usage of Seeds in Ps...

Common Consequences

Scope

Other

Access Control

Impact

Other, Bypass Protection Mechanism

Potential Mitigations

Architecture and Design

Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.

Architecture and Design

Requirements

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

CVE-2022-39218

SDK for JavaScript app builder for serverless code uses the same fixed seed for a PRNG, allowing cryptography bypass

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now