GO-S1033 · Random number generator seed doesn't have enough entropy

Random number generator seed doesn't have enough entropy GO-S1033

Security

Major

a year ago — a year old

a02 cwe-336 cwe-337 owasp top 10 cwe-331

Time based seeds have insufficient entropy

 29)
 30
 31func Server(ctx context.Context, cfg *config.Control) error {
 32	rand.Seed(time.Now().UTC().UnixNano()) 33
 34	if err := prepare(ctx, cfg); err != nil {
 35		return errors.Wrap(err, "preparing server")

Time based seeds have insufficient entropy

pkg/daemons/agent/agent.go

16)
17
18func Agent(ctx context.Context, nodeConfig *daemonconfig.Node, proxy proxy.Proxy) error {
19	rand.Seed(time.Now().UTC().UnixNano())20
21	logs.InitLogs()
22	defer logs.FlushLogs()

Time based seeds have insufficient entropy

pkg/kubectl/main.go

37}
38
39func main() {
40	rand.Seed(time.Now().UnixNano())41
42	command := cmd.NewDefaultKubectlCommand()
43	if err := cli.RunNoErrOutput(command); err != nil {

Description

As math/rand uses a statistical random number generator, using a low entropy seed (such as constants and the current system time) may allow an attacker to predict what the following number generated is.

Bad practice

package main

import (
    "math/rand"
    "time"
)

func main() {
    rand.Seed(42)                // constant seeds are bad
    rand.Seed(time.Now().Unix()) // time based seeds don't have sufficient entropy
}

xiaods / k8e

Bad practice

References