Moabi just reported CVE-2016-10743 and CVE-2019-10064, which are not public. The first one relates to an accidental fix in Hostapd 2.5; the second one is current and affects all versions of Hostapd including the current ones (there is no patch). Both relate to the fact that Hostapd is relaying on PRNGs from the libc to generate various cryptographic keys, while never actually seeding those PRNGs.
Pre-Requisites: Technical experience in Reverse Engineering and a working knownedge of everything ranging from assembly to C auditing to compiler mitigations and exploits writing.
Mobile & IoT Security Hackers & Threats
zero day vulnerability Internet of Things hackers & threats exploit of vulnerability cryptography
Share With Your Community