ID CVE-2019-10064
Summary hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
References
Vulnerable Configurations
  • cpe:2.3:a:w1.fi:hostapd:0.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:0.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:0.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:2.1:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:2.2:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:2.3:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:2.4:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:w1.fi:hostapd:2.5:*:*:*:*:*:*:*
    cpe:2.3:a:w1.fi:hostapd:2.5:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 08-08-2020 - 23:15)
Impact:
Exploitability:
CWE CWE-331
CAPEC
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
refmap via4
fulldisc 20200227 Hostapd fails at seeding PRNGS, leading to insufficient entropy (CVE-2016-10743 and CVE-2019-10064)
misc
mlist
  • [debian-lts-announce] 20200311 [SECURITY] [DLA 2138-1] wpa security update
  • [debian-lts-announce] 20200808 [SECURITY] [DLA 2318-1] wpa security update
  • [oss-security] 20200227 Hostapd fails at seeding PRNGS, leading to insufficient entropy (CVE-2016-10743 and CVE-2019-10064)
  • [oss-security] 20200227 Re: Hostapd fails at seeding PRNGS, leading to insufficient entropy (CVE-2016-10743 and CVE-2019-10064)
Last major update 08-08-2020 - 23:15
Published 28-02-2020 - 15:15
Last modified 08-08-2020 - 23:15
Back to Top