Vulnerabilities > CVE-2019-10064 - Insufficient Entropy vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
Nessus
| NASL family | Debian Local Security Checks |
| NASL id | DEBIAN_DLA-2138.NASL |
| description | Similar to CVE-2016-10743 the host access point daemon, hostapd, in EAP mode used a low quality pseudorandom number generator that leads to insufficient entropy. The problem was resolved by using the os_get_random function which provides cryptographically strong pseudo random data. For Debian 8 |
| last seen | 2020-03-17 |
| modified | 2020-03-12 |
| plugin id | 134430 |
| published | 2020-03-12 |
| reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/134430 |
| title | Debian DLA-2138-1 : wpa security update |
References
- https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389
- http://www.openwall.com/lists/oss-security/2020/02/27/1
- http://www.openwall.com/lists/oss-security/2020/02/27/2
- http://seclists.org/fulldisclosure/2020/Feb/26
- http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
- https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html