CVE-2019-10064

moderate-risk
Published 2020-02-28

hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.

Do I need to act?

~
1.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Debian W1.Fi

References (16)

Exploit http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
Exploit http://seclists.org/fulldisclosure/2020/Feb/26
Exploit http://www.openwall.com/lists/oss-security/2020/02/27/1
Exploit http://www.openwall.com/lists/oss-security/2020/02/27/1
Mailing List http://www.openwall.com/lists/oss-security/2020/02/27/2
Mailing List https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
Patch https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389
Exploit http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
Exploit http://seclists.org/fulldisclosure/2020/Feb/26
Exploit http://www.openwall.com/lists/oss-security/2020/02/27/1
Exploit http://www.openwall.com/lists/oss-security/2020/02/27/1
Mailing List http://www.openwall.com/lists/oss-security/2020/02/27/2
Mailing List https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
Mailing List https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
Patch https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389
39
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 4/34 · Minimal
Exposure 9/34 · Low