#VU30346 Insufficient Entropy in hostapd - CVE-2019-10064
Published: February 28, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30346
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-10064
CWE-ID: CWE-331
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
hostapd
hostapd
Software vendor:
Jouni Malinen
Jouni Malinen
Description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
Remediation
Install update from vendor's website.
External links
- http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
- http://seclists.org/fulldisclosure/2020/Feb/26
- http://www.openwall.com/lists/oss-security/2020/02/27/1
- http://www.openwall.com/lists/oss-security/2020/02/27/2
- https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
- https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389