Insufficient Entropy in hostapd - CVE-2019-10064
Published: February 28, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30346
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-10064
CWE-ID: CWE-331
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jouni Malinen
Affected software:
hostapd
hostapd
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
How to mitigate CVE-2019-10064
Install update from vendor's website.
Sources
- http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
- http://seclists.org/fulldisclosure/2020/Feb/26
- http://www.openwall.com/lists/oss-security/2020/02/27/1
- http://www.openwall.com/lists/oss-security/2020/02/27/2
- https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
- https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389