hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.
Weakness
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Hostapd | W1.fi | * | 2.6 (excluding) |
| Wpa | Ubuntu | esm-infra-legacy/trusty | * |
| Wpa | Ubuntu | esm-infra/xenial | * |
| Wpa | Ubuntu | trusty | * |
| Wpa | Ubuntu | trusty/esm | * |
| Wpa | Ubuntu | upstream | * |
| Wpa | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
- http://seclists.org/fulldisclosure/2020/Feb/26
- http://www.openwall.com/lists/oss-security/2020/02/27/1
- http://www.openwall.com/lists/oss-security/2020/02/27/1
- http://www.openwall.com/lists/oss-security/2020/02/27/2
- https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
- https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389
- http://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html
- http://seclists.org/fulldisclosure/2020/Feb/26
- http://www.openwall.com/lists/oss-security/2020/02/27/1
- http://www.openwall.com/lists/oss-security/2020/02/27/1
- http://www.openwall.com/lists/oss-security/2020/02/27/2
- https://lists.debian.org/debian-lts-announce/2020/03/msg00010.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
- https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389