Weak Random Number Generator
Severity Level: Medium
AppRisk Coverage: Yes
Type: Vulnerability
OWASP: M4: Unintended Data Leakage
Aliases:
Platform: Android
File size (bytes): N/A
Filename: N/A
App title: N/A
MD5 Hash: N/A
SHA1 hash: N/A
Affected CVE:
- CVE-2009-3278
- CVE-2009-3238
- CVE-2009-2367
- CVE-2008-0166
Details or analysis:
This is an NewSky Security AppRisk detection.
The Weak Random Number Generator is a vulnerability found in all programming languages and across all programming platforms. Weak random number generators use less processing power, so they are more common than one would think. If the weak random number generator is used in encrypting information, hackers can predict the “randomly” generated numbers, giving them the ability to easily break the code and decrypt the confidential information transmitted, such as passwords or personal data.
This weakness has a medium likelihood of being exploited. To avoid this weakness in one’s program, one should “use functions or hardware which use a hardware-based random number generation for all crypto” (cwe.mitre.org). Examples of these functions or hardware that avoid this weakness are CryptGenRandom on Windows, and hw_rand() on Linux.
Observed examples of the Weak Random Number Generator
CVE-2009-3278
The QNAP storage devices TS-239 Pro and TS-639 Pro, running firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815, use the rand library function to generate a certain recovery key. By way of a brute force attack, hackers can discover this key and decrypt the information transmitted.
CVE-2009-3238
The random values produced by this weak random number generator are “insufficiently random”, which means the random values produced can actually be the same value several times in a row. Hackers can use this weakness to predict the return value of the weak random number generator and thus decrypt the information transmitted.
CVE-2009-2367
cgi-bin/makecgi-pro in Iomega StorCenter Pro generates predictable session IDs. Since attackers are able to predict the session ID, they can hack their way into active sessions. Once inside the session, they can gain special privileges by use of a brute force attack.
CVE-2008-0166
OpenSSL versions 0.9.8c-1 to 0.9.8g-9 on operating systems based on Debian (e.g. Linux) uses a weak random number generator with extremely predictable results. Since the results are easy to predict, attackers can conduct brute force attacks and find the key to decrypting any confidential information with relative ease.
Additional information
A random number generator, as its title implies, generates a random number. Ideally, the random number generated cannot be predicted or guessed unless one hits on it by random chance. Choosing randomly from a large set of numbers should guarantee that the same number is never drawn twice in a row.
A brute force attack is when someone attacking an encrypted system runs through every possible key and password until they find the key that will allow them to decrypt the system.
It’s difficult to detect if one has a weak random number generator. One way to test it is to see if one can guess the next number one’s program will generate; if one is able to predict correctly more often than not, then one most likely has a weak random number generator. However, the most reliable way to test for this vulnerability is to “inspect the exact method by which the PRNG works, down to the low details: what physical events it gather, why can these events be considered ‘random’, how they are mixed together with cryptographic algorithms to produce pseudorandom bytes” (security.stackexchange.com).
Analysis by: Saralyn Santos
Reference:
- Security