CWE-333: Improper Handling of Insufficient Entropy in TRNG

How to prevent it

Practical mitigations for CWE-333, grouped by where in the lifecycle they apply.

Implementation

Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.

CWE-333: Improper Handling of Insufficient Entropy in TRNG

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code uses a TRNG to generate a unique session id for new connections to a server:

Vulnerable example

while (1){

This code does not attempt to limit the number of new connections or make sure the TRNG can successfully generate a new random number. An attacker may be able to create many new connections and exhaust the entropy of the TRNG. The TRNG may then block and cause the program to crash or hang.

How to prevent it

CWE-333: Improper Handling of Insufficient Entropy in TRNG

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-333?

What CVEs are caused by CWE-333?

How do you prevent CWE-333?

What are the consequences of CWE-333?

Is CWE-333 actively exploited?

References

Stay ahead of CWE-333

How to prevent it

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-333?

What CVEs are caused by CWE-333?

How do you prevent CWE-333?

What are the consequences of CWE-333?

Is CWE-333 actively exploited?

References

Stay ahead of CWE-333