CVE-2016-10743: Predictable WPS PIN in hostapd for versions prior to 2016 #103
Description
Hi there! 😺
A vulnerability has been published today and it could be used to create of a new pixiewps mode
It affects devices that use a hostapd version prior to 2016 where /dev/urandom isn't present
It has been discovered that hostapd before version 2.6 wasn't seeding
PRNGs at all.
This vulnerability has been fixed silently around 2016, but never
attributed a CVE
number, leading to many distributions and IoT devices still shipping
this version of
the software. This vulnerability has been given id CVE-2016-10743.
In some configurations, when WPS is enabled and a /dev/urandom device
isn't available,
this leads to WPS PINS being predictable, allowing remote network access
from an attacker.
You will find the entire full disclosure here: Hostapd fails at seeding PRNGS, leading to insufficient entropy
The author of the security report points out this function:
/* Generate seven random digits for the PIN */
if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0) {
struct os_time now;
os_get_time(&now);
val = os_random() ^ now.sec ^ now.usec;
}
val %= 10000000;
I don't know C, correct me if i am wrong, but it seems that it is somehow similar to the realtek attack: Time value is used as a fallback system to generate entropy. in this case the value is used to generate "randomly" the 7th first digits.
This function is extracted from wps_common.c
As pointed out by the author, this vulnerability would be more likely to be found on ioT devices then Access Point.