b***@freebsd.org
2021-05-24 13:12:58 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256118
Bug ID: 256118
Summary: [net80211] [patch]: reject mixed plaintext/encrypted
fragments
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: wireless
Assignee: ***@FreeBSD.org
Reporter: ***@cs.kuleuven.be
Created attachment 225220
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=225220&action=edit
patch: git diff file
FreeBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even when
some of the fragments were not encrypted. This corresponds to CVE-2020-26147 of
the "FragAttacks" research. For background see Section 6.3 in
https://papers.mathyvanhoef.com/usenix2021.pdf
This vulnerability can be reproduced using the FragAttack test tool at
https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E" and/or
"ping I,P,E" (the transmitted ping request should be rejected by the kernel).
The attached patches fixes this vulnerability. It was tested using a Belkin
F5D8053 (run driver) in client mode. I'm not sure if I'm using the best way to
track whether a fragment was encrypted, but it gets the job done with a low
number of code changes.
FYI: I've submitted a similar patch to NetBSD:
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=56204
Bug ID: 256118
Summary: [net80211] [patch]: reject mixed plaintext/encrypted
fragments
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: wireless
Assignee: ***@FreeBSD.org
Reporter: ***@cs.kuleuven.be
Created attachment 225220
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=225220&action=edit
patch: git diff file
FreeBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even when
some of the fragments were not encrypted. This corresponds to CVE-2020-26147 of
the "FragAttacks" research. For background see Section 6.3 in
https://papers.mathyvanhoef.com/usenix2021.pdf
This vulnerability can be reproduced using the FragAttack test tool at
https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E" and/or
"ping I,P,E" (the transmitted ping request should be rejected by the kernel).
The attached patches fixes this vulnerability. It was tested using a Belkin
F5D8053 (run driver) in client mode. I'm not sure if I'm using the best way to
track whether a fragment was encrypted, but it gets the job done with a low
number of code changes.
FYI: I've submitted a similar patch to NetBSD:
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=56204
--
You are receiving this mail because:
You are the assignee for the bug.
You are receiving this mail because:
You are the assignee for the bug.