Potential Random Number Generation Issues in Hostapd by Free Range Routing
CVE-2019-10064

7.5HIGH

Key Information:

Vendor

W1.fi

Status
Hostapd
Vendor
CVE Published:
28 February 2020

What is CVE-2019-10064?

A flaw exists in Hostapd versions prior to 2.6, where it makes calls to the rand() and random() functions without the necessary seeding via srand() or srandom(). This deficiency leads to the use of deterministic values, undermining the security of cryptographic processes that rely on randomness, particularly in EAP (Extensible Authentication Protocol) scenarios. The absence of proper entropy seeding can expose communication to potential predictability attacks. Developers are urged to update to the latest version to mitigate this risk.

References

https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c4...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2020/02/27/1
mailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2020/02/27/2
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.