----------------------------------------------------------------------
*               Hostapd fails at seeding PRNGS,                      *
*               leading to insufficient entropy                      *
----------------------------------------------------------------------


--[ Vulnerabilities Summary:

Date Published: 27/02/2020
CVE Names: CVE-2016-10743 and CVE-2019-10064.
Title: Hostapd fails at seeding PRNGs
Class: CWE-331: Insufficient Entropy
Remotely Exploitable: Yes
Locally Exploitable: No
Impact: Remote network access, remote Denial of Service
Advisory URL: https://moabi.com/advisories/CVE-2019-10064.html


--[ Synopsis:

Hostapd (host access point daemon) is a user space daemon software enabling a network
interface card to act as an access point and authentication server. It is powering
billions of IoT devices.

It has been discovered that hostapd before version 2.6 wasn't seeding PRNGs at all.
This vulnerability has been fixed silently around 2016, but never attributed a CVE
number, leading to many distributions and IoT devices still shipping this version of
the software. This vulnerability has been given id CVE-2016-10743.
In some configurations, when WPS is enabled and a /dev/urandom device isn't available,
this leads to WPS PINS being predictable, allowing remote network access from an attacker.

In addition, it has been discovered that the Extensible Authentication Protocol (EAP) mode,
which offers a protection against flooding attacks, also uses predictable PRNGs. This
vulnerability has been assigned id CVE-2019-10064.

--[ Details:

* details for CVE-2016-10743:

CVE-2016-10743 has been silently patched with commit:
98a516eae8260e6fd5c48ddecf8d006285da7389 on http://w1.fi/hostap.git on
Tue Feb 9 14:47:47 2016 +0000 by Nick Lowe 

https://wiki.sei.cmu.edu/confluence/display/c/MSC32-C.+Properly+seed+pseudorandom+number+generators

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_win32.c
unsigned long os_random(void)

 {

  return rand();

 }


https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_internal.c

unsigned long os_random(void)

 {

  return random();

 }


https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/utils/os_unix.c

unsigned long os_random(void)

 {

  return random();

 }


In all cases, os_random() is not seeded, and therefor entirely predictable and repeatable.

This is exploitable via the WPS PIN generation, as detailed here:

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/wps/wps_common.c

/**

  * wps_generate_pin - Generate a random PIN

  * Returns: Eight digit PIN (i.e., including the checksum digit)

  */

 unsigned int wps_generate_pin(void)

 {

  unsigned int val;

 

  /* Generate seven random digits for the PIN */

  if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0) {

   struct os_time now;

   os_get_time(&now);

   val = os_random() ^ now.sec ^ now.usec;

  }

  val %= 10000000;

 

  /* Append checksum digit */

  return val * 10 + wps_pin_checksum(val);

 }



* details for CVE-2019-10064:

The EAP mode features a flood prevention technique, which is defeated due to lack of proper seeding of PRNGs:

https://github.com/jmalinen/hostap/blob/a06b1070d8902460a9c61a3e13af577327fce6b3/src/eap_server/eap_server_pwd.c



 static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,

      u8 id)

 {

  wpa_printf(MSG_DEBUG, "EAP-pwd: ID/Request");

  /*

   * if we're fragmenting then we already have an id request, just return

   */

  if (data->out_frag_pos)

   return;

 

  data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +

         data->id_server_len);

  if (data->outbuf == NULL) {

   eap_pwd_state(data, FAILURE);

   return;

  }

 

  /* an lfsr is good enough to generate unpredictable tokens */

  data->token = os_random();

  wpabuf_put_be16(data->outbuf, data->group_num);

  wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);

  (etc.)

--[ Suggested patch:

It is recommended to seed PRNGs by reading /dev/urandom, for instance
using the routine below:

/**
* Get a random seed
*/
int getseed(void) {
        int fd;
        int r, n;

	fd = open("/dev/urandom", O_RDONLY);
        if (fd < 0) {
                perror("open");
                exit(0);
        }
        n = read(fd, &r, sizeof(r));
	if(n != sizeof(r)){
                perror("read");
                exit(0);
	}
        close(fd);
        return(r);
}

--[ Disclosure timeline:

26/03/2019: Vulnerabilities discovered.
26/03/2019: Reported vulnerabilities to MITRE.
26/03/2019: Vulnerabilities assigned ids CVE-2016-10743 and CVE-2019-10064.
11/02/2020: Reported vulnerabilities to software author directly.
27/02/2020: Public disclosure.

--[ Credits:

This vulnerability was discovered by Nicolas Massaviol and Jonathan Brossard from Moabi.com