Early Access — Mondoo Vulnerability Intelligence is currently in preview.
The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2020-7010Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time.
CVE-2019-11495server uses erlang:now() to seed the PRNG, which results in a small search space for potential random seeds
CVE-2018-12520Product's PRNG is not seeded for the generation of session IDs
CVE-2016-10180Router's PIN generation is based on rand(time(0)) seeding.