NetBSD Problem Report #56204
From www@netbsd.org Mon May 24 00:58:54 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 21AA41A929D
for <gnats-bugs@gnats.NetBSD.org>; Mon, 24 May 2021 00:58:54 +0000 (UTC)
Message-Id: <20210524005853.1A4311A929E@mollari.NetBSD.org>
Date: Mon, 24 May 2021 00:58:53 +0000 (UTC)
From: mathy.vanhoef@cs.kuleuven.be
Reply-To: mathy.vanhoef@cs.kuleuven.be
To: gnats-bugs@NetBSD.org
Subject: net80211: reject mixed plaintext/encrypted fragments
X-Send-Pr-Version: www-1.0
>Number: 56204
>Category: security
>Synopsis: net80211: reject mixed plaintext/encrypted fragments
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: martin
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 24 01:00:00 +0000 2021
>Last-Modified: Mon May 24 06:16:02 +0000 2021
>Originator: Mathy Vanhoef
>Release: current
>Organization:
>Environment:
current
>Description:
NetBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments were not encrypted (only the last fragment must be encrypted). This corresponds to CVE-2020-26147 of the "FragAttacks" research.
For background see Section 6.3 in https://papers.mathyvanhoef.com/usenix2021.pdf
Note that NetBSD is also vulnerable to CVE-2020-26146 (low impact). A NetBSD AP is also vulnerable to CVE-2020-26140 (high impact), CVE-2020-26145 (high impact), and CVE-2020-26139 (medium impact). I'm not yet comfortable enough with the NetBSD code to write patches for these CVEs but hopefully will get back to this later (suggestions welcome).
>How-To-Repeat:
CVE-2020-26147 in NetBSD can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E".
>Fix:
Index: sys/net80211/ieee80211_input.c
===================================================================
RCS file: /cvsroot/src/sys/net80211/ieee80211_input.c,v
retrieving revision 1.116
diff -u -r1.116 ieee80211_input.c
--- sys/net80211/ieee80211_input.c 29 Jan 2020 05:21:14 -0000 1.116
+++ sys/net80211/ieee80211_input.c 24 May 2021 00:45:17 -0000
@@ -281,8 +281,6 @@
IEEE80211_NODE_STAT(ni, rx_wepfail);
goto out;
}
- wh = mtod(m, struct ieee80211_frame *);
- wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
} else {
key = NULL;
}
@@ -301,11 +299,15 @@
/*
* Next, strip any MSDU crypto bits.
*/
- if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
- IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
- ni->ni_macaddr, "data", "%s", "demic error");
- IEEE80211_NODE_STAT(ni, rx_demicfail);
- goto out;
+ if (key != NULL)
+ if (!ieee80211_crypto_demic(ic, key, m, 0)) {
+ IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
+ ni->ni_macaddr, "data", "%s", "demic error");
+ IEEE80211_NODE_STAT(ni, rx_demicfail);
+ goto out;
+ }
+ wh = mtod(m, struct ieee80211_frame *);
+ wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
}
/* copy to listener after decrypt */
@@ -806,10 +808,14 @@
lwh = mtod(mfrag, struct ieee80211_frame *);
last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq);
- /* NB: check seq # and frag together */
+ /*
+ * NB: check seq # and frag together. Also check that both
+ * fragments are plaintext or that both are encrypted.
+ */
if (rxseq != last_rxseq+1 ||
!IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
- !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
+ !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) ||
+ ((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_WEP)) {
/*
* Unrelated fragment or no space for it,
* clear current fragments.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: security-officer->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Mon, 24 May 2021 06:16:02 +0000
Responsible-Changed-Why:
Take
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.