CVE-2019-10064 — Insufficient Entropy in Hostapd

CWE-331 — Insufficient Entropy8 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.4%

top 19.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

W1.fi Hostapd Debian Linux

Timeline

PublishedFeb 28

Latest updateMay 24

Description

hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDw1.fi/hostapd< 2.6

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: w1.fi ↗Patch: w1.fi ↗

🔴Vulnerability Details

GHSA

GHSA-h5p7-cpc2-2j2r: hostapd before 2↗2022-05-24

▶

OSV

CVE-2019-10064: hostapd before 2↗2020-02-28

▶

CVEList

CVE-2019-10064: hostapd before 2↗2020-02-28

▶

📋Vendor Advisories

Red Hat

hostapd: Not preventig the use of low quality PRNG in EAP mode leads to insufficient entropy↗2020-02-27

▶

Debian

CVE-2019-10064: wpa - hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard...↗2019

▶

💬Community

Bugzilla

CVE-2019-10064 hostapd: Not preventig the use of low quality PRNG in EAP mode leads to insufficient entropy↗2020-03-06

▶

Bugzilla

CVE-2016-10743 hostapd: Not preventig the use of low quality PRNG leads to insufficient entropy↗2020-03-06

▶