CVE-2019-10064

hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.

Published: Feb 28, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-10064
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-331

Affected Software
References

Software	From	Fixed in
w1.fi / hostapd	-	2.6
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x

http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
http://seclists.org/fulldisclosure/2020/Feb/26
http://www.openwall.com/lists/oss-security/2020/02/27/1
http://www.openwall.com/lists/oss-security/2020/02/27/2
https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389

Vulnerability Database

289,697

CVE-2019-10064