what you don't know can hurt you

Hostapd Insufficient Entropy

Hostapd Insufficient Entropy
Posted Feb 29, 2020
Authored by Jonathan Brossard, Nicolas Massaviol

Hostapd versions prior to 2.6 were not seeding PRNGs. This vulnerability has been fixed silently around 2016, but never attributed a CVE number, leading to many distributions and IoT devices still shipping this version of the software. In addition, it has been discovered that the Extensible Authentication Protocol (EAP) mode, which offers a protection against flooding attacks, also uses predictable PRNGs.

tags | advisory, protocol
advisories | CVE-2016-10743, CVE-2019-10064
MD5 | 33e520c9d1bd415aed21d04467de83db

Hostapd Insufficient Entropy

Change Mirror Download


----------------------------------------------------------------------
* Hostapd fails at seeding PRNGS, *
* leading to insufficient entropy *
----------------------------------------------------------------------


--[ Vulnerabilities Summary:

Date Published: 27/02/2020
CVE Names: CVE-2016-10743 and CVE-2019-10064.
Title: Hostapd fails at seeding PRNGs
Class: CWE-331: Insufficient Entropy
Remotely Exploitable: Yes
Locally Exploitable: No
Impact: Remote network access, remote Denial of Service
Advisory URL: https://moabi.com/advisories/CVE-2019-10064.html


--[ Synopsis:

Hostapd (host access point daemon) is a user space daemon software
enabling a network
interface card to act as an access point and authentication server. It
is powering
billions of IoT devices.

It has been discovered that hostapd before version 2.6 wasn't seeding
PRNGs at all.
This vulnerability has been fixed silently around 2016, but never
attributed a CVE
number, leading to many distributions and IoT devices still shipping
this version of
the software. This vulnerability has been given id CVE-2016-10743.
In some configurations, when WPS is enabled and a /dev/urandom device
isn't available,
this leads to WPS PINS being predictable, allowing remote network access
from an attacker.

In addition, it has been discovered that the Extensible Authentication
Protocol (EAP) mode,
which offers a protection against flooding attacks, also uses
predictable PRNGs. This
vulnerability has been assigned id CVE-2019-10064.

--[ Details:

* details for CVE-2016-10743:

CVE-2016-10743 has been silently patched with commit:
98a516eae8260e6fd5c48ddecf8d006285da7389 on http://w1.fi/hostap.git on
Tue Feb 9 14:47:47 2016 +0000 by Nick Lowe <nick.lowe@lugatech.com>

https://wiki.sei.cmu.edu/confluence/display/c/MSC32-C.+Properly+seed+pseudorandom+number+generators

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_win32.c
unsigned long os_random(void)

{

return rand();

}


https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_internal.c

unsigned long os_random(void)

{

return random();

}


https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_unix.c

unsigned long os_random(void)

{

return random();

}


In all cases, os_random() is not seeded, and therefor entirely
predictable and repeatable.

This is exploitable via the WPS PIN generation, as detailed here:

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/wps/wps_common.c

/**

* wps_generate_pin - Generate a random PIN

* Returns: Eight digit PIN (i.e., including the checksum digit)

*/

unsigned int wps_generate_pin(void)

{

unsigned int val;



/* Generate seven random digits for the PIN */

if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0) {

struct os_time now;

os_get_time(&now);

val = os_random() ^ now.sec ^ now.usec;

}

val %= 10000000;



/* Append checksum digit */

return val * 10 + wps_pin_checksum(val);

}



* details for CVE-2019-10064:

The EAP mode features a flood prevention technique, which is defeated
due to lack of proper seeding of PRNGs:

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/eap_server/eap_server_pwd.c



static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data
*data,

u8 id)

{

wpa_printf(MSG_DEBUG, "EAP-pwd: ID/Request");

/*

* if we're fragmenting then we already have an id request, just return

*/

if (data->out_frag_pos)

return;



data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +

data->id_server_len);

if (data->outbuf == NULL) {

eap_pwd_state(data, FAILURE);

return;

}



/* an lfsr is good enough to generate unpredictable tokens */

data->token = os_random();

wpabuf_put_be16(data->outbuf, data->group_num);

wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);

(etc.)

--[ Suggested patch:

It is recommended to seed PRNGs by reading /dev/urandom, for instance
using the routine below:

/**
* Get a random seed
*/
int getseed(void) {
int fd;
int r, n;

fd = open("/dev/urandom", O_RDONLY);
if (fd < 0) {
perror("open");
exit(0);
}
n = read(fd, &r, sizeof(r));
if(n != sizeof(r)){
perror("read");
exit(0);
}
close(fd);
return(r);
}

--[ Disclosure timeline:

26/03/2019: Vulnerabilities discovered.
26/03/2019: Reported vulnerabilities to MITRE.
26/03/2019: Vulnerabilities assigned ids CVE-2016-10743 and CVE-2019-10064.
11/02/2020: Reported vulnerabilities to software author directly.
27/02/2020: Public disclosure.

--[ Credits:

This vulnerability was discovered by Nicolas Massaviol and Jonathan
Brossard from Moabi.com



Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close