what you don't know can hurt you

Hostapd Insufficient Entropy

Hostapd Insufficient Entropy
Posted Feb 29, 2020
Authored by Jonathan Brossard, Nicolas Massaviol

Hostapd versions prior to 2.6 were not seeding PRNGs. This vulnerability has been fixed silently around 2016, but never attributed a CVE number, leading to many distributions and IoT devices still shipping this version of the software. In addition, it has been discovered that the Extensible Authentication Protocol (EAP) mode, which offers a protection against flooding attacks, also uses predictable PRNGs.

tags | advisory, protocol
advisories | CVE-2016-10743, CVE-2019-10064
MD5 | 33e520c9d1bd415aed21d04467de83db

Hostapd Insufficient Entropy

Change Mirror Download


----------------------------------------------------------------------
* Hostapd fails at seeding PRNGS, *
* leading to insufficient entropy *
----------------------------------------------------------------------


--[ Vulnerabilities Summary:

Date Published: 27/02/2020
CVE Names: CVE-2016-10743 and CVE-2019-10064.
Title: Hostapd fails at seeding PRNGs
Class: CWE-331: Insufficient Entropy
Remotely Exploitable: Yes
Locally Exploitable: No
Impact: Remote network access, remote Denial of Service
Advisory URL: https://moabi.com/advisories/CVE-2019-10064.html


--[ Synopsis:

Hostapd (host access point daemon) is a user space daemon software
enabling a network
interface card to act as an access point and authentication server. It
is powering
billions of IoT devices.

It has been discovered that hostapd before version 2.6 wasn't seeding
PRNGs at all.
This vulnerability has been fixed silently around 2016, but never
attributed a CVE
number, leading to many distributions and IoT devices still shipping
this version of
the software. This vulnerability has been given id CVE-2016-10743.
In some configurations, when WPS is enabled and a /dev/urandom device
isn't available,
this leads to WPS PINS being predictable, allowing remote network access
from an attacker.

In addition, it has been discovered that the Extensible Authentication
Protocol (EAP) mode,
which offers a protection against flooding attacks, also uses
predictable PRNGs. This
vulnerability has been assigned id CVE-2019-10064.

--[ Details:

* details for CVE-2016-10743:

CVE-2016-10743 has been silently patched with commit:
98a516eae8260e6fd5c48ddecf8d006285da7389 on http://w1.fi/hostap.git on
Tue Feb 9 14:47:47 2016 +0000 by Nick Lowe <nick.lowe@lugatech.com>

https://wiki.sei.cmu.edu/confluence/display/c/MSC32-C.+Properly+seed+pseudorandom+number+generators

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_win32.c
unsigned long os_random(void)

{

return rand();

}


https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_internal.c

unsigned long os_random(void)

{

return random();

}


https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_unix.c

unsigned long os_random(void)

{

return random();

}


In all cases, os_random() is not seeded, and therefor entirely
predictable and repeatable.

This is exploitable via the WPS PIN generation, as detailed here:

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/wps/wps_common.c

/**

* wps_generate_pin - Generate a random PIN

* Returns: Eight digit PIN (i.e., including the checksum digit)

*/

unsigned int wps_generate_pin(void)

{

unsigned int val;



/* Generate seven random digits for the PIN */

if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0) {

struct os_time now;

os_get_time(&now);

val = os_random() ^ now.sec ^ now.usec;

}

val %= 10000000;



/* Append checksum digit */

return val * 10 + wps_pin_checksum(val);

}



* details for CVE-2019-10064:

The EAP mode features a flood prevention technique, which is defeated
due to lack of proper seeding of PRNGs:

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/eap_server/eap_server_pwd.c



static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data
*data,

u8 id)

{

wpa_printf(MSG_DEBUG, "EAP-pwd: ID/Request");

/*

* if we're fragmenting then we already have an id request, just return

*/

if (data->out_frag_pos)

return;



data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +

data->id_server_len);

if (data->outbuf == NULL) {

eap_pwd_state(data, FAILURE);

return;

}



/* an lfsr is good enough to generate unpredictable tokens */

data->token = os_random();

wpabuf_put_be16(data->outbuf, data->group_num);

wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);

(etc.)

--[ Suggested patch:

It is recommended to seed PRNGs by reading /dev/urandom, for instance
using the routine below:

/**
* Get a random seed
*/
int getseed(void) {
int fd;
int r, n;

fd = open("/dev/urandom", O_RDONLY);
if (fd < 0) {
perror("open");
exit(0);
}
n = read(fd, &r, sizeof(r));
if(n != sizeof(r)){
perror("read");
exit(0);
}
close(fd);
return(r);
}

--[ Disclosure timeline:

26/03/2019: Vulnerabilities discovered.
26/03/2019: Reported vulnerabilities to MITRE.
26/03/2019: Vulnerabilities assigned ids CVE-2016-10743 and CVE-2019-10064.
11/02/2020: Reported vulnerabilities to software author directly.
27/02/2020: Public disclosure.

--[ Credits:

This vulnerability was discovered by Nicolas Massaviol and Jonathan
Brossard from Moabi.com



Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close