NetBSD Problem Report #56204

From www@netbsd.org  Mon May 24 00:58:54 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 21AA41A929D
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 24 May 2021 00:58:54 +0000 (UTC)
Message-Id: <20210524005853.1A4311A929E@mollari.NetBSD.org>
Date: Mon, 24 May 2021 00:58:53 +0000 (UTC)
From: mathy.vanhoef@cs.kuleuven.be
Reply-To: mathy.vanhoef@cs.kuleuven.be
To: gnats-bugs@NetBSD.org
Subject: net80211: reject mixed plaintext/encrypted fragments
X-Send-Pr-Version: www-1.0

>Number:         56204
>Category:       security
>Synopsis:       net80211: reject mixed plaintext/encrypted fragments
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    martin
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May 24 01:00:00 +0000 2021
>Last-Modified:  Mon May 24 06:16:02 +0000 2021
>Originator:     Mathy Vanhoef
>Release:        current
>Organization:
>Environment:
current
>Description:
NetBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments were not encrypted (only the last fragment must be encrypted). This corresponds to CVE-2020-26147 of the "FragAttacks" research.

For background see Section 6.3 in https://papers.mathyvanhoef.com/usenix2021.pdf

Note that NetBSD is also vulnerable to CVE-2020-26146 (low impact). A NetBSD AP is also vulnerable to CVE-2020-26140 (high impact), CVE-2020-26145 (high impact), and CVE-2020-26139 (medium impact). I'm not yet comfortable enough with the NetBSD code to write patches for these CVEs but hopefully will get back to this later (suggestions welcome).
>How-To-Repeat:
CVE-2020-26147 in NetBSD can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E".
>Fix:
Index: sys/net80211/ieee80211_input.c
===================================================================
RCS file: /cvsroot/src/sys/net80211/ieee80211_input.c,v
retrieving revision 1.116
diff -u -r1.116 ieee80211_input.c
--- sys/net80211/ieee80211_input.c	29 Jan 2020 05:21:14 -0000	1.116
+++ sys/net80211/ieee80211_input.c	24 May 2021 00:45:17 -0000
@@ -281,8 +281,6 @@
 			IEEE80211_NODE_STAT(ni, rx_wepfail);
 			goto out;
 		}
-		wh = mtod(m, struct ieee80211_frame *);
-		wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
 	} else {
 		key = NULL;
 	}
@@ -301,11 +299,15 @@
 	/*
 	 * Next, strip any MSDU crypto bits.
 	 */
-	if (key != NULL && !ieee80211_crypto_demic(ic, key, m, 0)) {
-		IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
-		    ni->ni_macaddr, "data", "%s", "demic error");
-		IEEE80211_NODE_STAT(ni, rx_demicfail);
-		goto out;
+	if (key != NULL)
+		if (!ieee80211_crypto_demic(ic, key, m, 0)) {
+			IEEE80211_DISCARD_MAC(ic, IEEE80211_MSG_INPUT,
+			    ni->ni_macaddr, "data", "%s", "demic error");
+			IEEE80211_NODE_STAT(ni, rx_demicfail);
+			goto out;
+		}
+		wh = mtod(m, struct ieee80211_frame *);
+		wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
 	}

 	/* copy to listener after decrypt */
@@ -806,10 +808,14 @@

 		lwh = mtod(mfrag, struct ieee80211_frame *);
 		last_rxseq = le16toh(*(u_int16_t *)lwh->i_seq);
-		/* NB: check seq # and frag together */
+		/*
+		 * NB: check seq # and frag together. Also check that both
+		 * fragments are plaintext or that both are encrypted.
+		 */
 		if (rxseq != last_rxseq+1 ||
 		    !IEEE80211_ADDR_EQ(wh->i_addr1, lwh->i_addr1) ||
-		    !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2)) {
+		    !IEEE80211_ADDR_EQ(wh->i_addr2, lwh->i_addr2) ||
+		    ((wh->i_fc[1] ^ lwh->i_fc[1]) & IEEE80211_FC1_WEP)) {
 			/*
 			 * Unrelated fragment or no space for it,
 			 * clear current fragments.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: security-officer->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Mon, 24 May 2021 06:16:02 +0000
Responsible-Changed-Why:
Take


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.