CVE-2016-10743: Predictable WPS PIN in hostapd for versions prior to 2016

[kcdtv]

Hi there! 😺
A vulnerability has been published today and it could be used to create of a new pixiewps mode
It affects devices that use a hostapd version prior to 2016 where /dev/urandom isn't present

It has been discovered that hostapd before version 2.6 wasn't seeding
PRNGs at all.
This vulnerability has been fixed silently around 2016, but never
attributed a CVE
number, leading to many distributions and IoT devices still shipping
this version of
the software. This vulnerability has been given id CVE-2016-10743.
In some configurations, when WPS is enabled and a /dev/urandom device
isn't available,
this leads to WPS PINS being predictable, allowing remote network access
from an attacker.

You will find the entire full disclosure here: Hostapd fails at seeding PRNGS, leading to insufficient entropy
The author of the security report points out this function:

  /* Generate seven random digits for the PIN */

  if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0) {

   struct os_time now;

   os_get_time(&now);

   val = os_random() ^ now.sec ^ now.usec;

  }

  val %= 10000000;

I don't know C, correct me if i am wrong, but it seems that it is somehow similar to the realtek attack: Time value is used as a fallback system to generate entropy. in this case the value is used to generate "randomly" the 7th first digits.
This function is extracted from wps_common.c
As pointed out by the author, this vulnerability would be more likely to be found on ioT devices then Access Point.