CVE-2019-10064 — HIGH (7.5)

Q: How severe is CVE-2019-10064?

CVE-2019-10064 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-10064?

Check the references section above for vendor advisories and patch information. Affected products include: W1.Fi Hostapd, Debian Debian Linux.

Vulnerability Description

hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
W1.Fi	Hostapd	< 2.6
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-331

References

http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.htmlExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2020/Feb/26ExploitMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/02/27/1ExploitMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/02/27/1ExploitMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/02/27/2Mailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00010.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlMailing ListThird Party Advisory
https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389PatchThird Party Advisory
http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.htmlExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2020/Feb/26ExploitMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/02/27/1ExploitMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/02/27/1ExploitMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/02/27/2Mailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00010.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2019-10064?

CVE-2019-10064 is a vulnerability with a CVSS score of 7.5 (HIGH). hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic ...

How severe is CVE-2019-10064?

CVE-2019-10064 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-10064?

Check the references section above for vendor advisories and patch information. Affected products include: W1.Fi Hostapd, Debian Debian Linux.