Bug 1811069 (CVE-2019-10064)

Summary: CVE-2019-10064 hostapd: Not preventig the use of low quality PRNG in EAP mode leads to insufficient entropy
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcaratti, linville, negativo17, sukulkar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 06:45:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1811039    

Description Michael Kaplan 2020-03-06 14:31:57 UTC 
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743.

External Reference:

https://moabi.com/advisories/CVE-2019-10064.html
Comment 1 Huzaifa S. Sidhpurwala 2020-03-27 06:44:21 UTC 
Analysis:

This issue is only triggered with WPS pin needs to be generated and there is no /dev/urandom device. Such a scenario should not be possible in a typical server configuration, and may be a case in case of IoT or embedded devices. Therefore marking Red Hat Products as not affected.