CVE-2016-10743

Related Files

Hostapd Insufficient Entropy

Posted Feb 29, 2020

Authored by Jonathan Brossard, Nicolas Massaviol

Hostapd versions prior to 2.6 were not seeding PRNGs. This vulnerability has been fixed silently around 2016, but never attributed a CVE number, leading to many distributions and IoT devices still shipping this version of the software. In addition, it has been discovered that the Extensible Authentication Protocol (EAP) mode, which offers a protection against flooding attacks, also uses predictable PRNGs.

tags | advisory, protocol

advisories | CVE-2016-10743, CVE-2019-10064

SHA-256 | 2d166b553a0342f96415f97cd97caa0cedc98fd50d33edcf18d27bde29fcd3c7

Download | Favorite | View

Ubuntu Security Notice USN-3944-1

Posted Apr 11, 2019

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3944-1 - It was discovered that wpa_supplicant and hostapd were vulnerable to a side channel attack against EAP-pwd. A remote attacker could possibly use this issue to recover certain passwords. Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly validated received scalar and element values in EAP-pwd-Commit messages. A remote attacker could possibly use this issue to perform a reflection attack and authenticate without the appropriate password. Various other issues were also addressed.

tags | advisory, remote

systems | linux, ubuntu

advisories | CVE-2016-10743, CVE-2019-9495, CVE-2019-9498, CVE-2019-9499

SHA-256 | 5cd1105b2e54bffc81e4ab1e2261cd73be7cd130544105c2d7414ca3f2dcf45e

Download | Favorite | View