AP mode PMF disconnection protection bypass
Published: September 11, 2019
Identifiers:
- CVE-2019-16275
Latest version available from: https://w1.fi/security/2019-7/
Vulnerability
hostapd (and wpa_supplicant when controlling AP mode) did not perform
sufficient source address validation for some received Management frames
and this could result in ending up sending a frame that caused
associated stations to incorrectly believe they were disconnected from
the network even if management frame protection (also known as PMF) was
negotiated for the association. This could be considered to be a denial
of service vulnerability since PMF is supposed to protect from this type
of issues. It should be noted that if PMF is not enabled, there would be
no protocol level protection against this type of denial service
attacks.
An attacker in radio range of the access point could inject a specially
constructed unauthenticated IEEE 802.11 frame to the access point to
cause associated stations to be disconnected and require a reconnection
to the network.
Vulnerable versions/configurations
All hostapd and wpa_supplicants versions with PMF support
(CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
PMF being enabled (optional or required). In addition, this would be
applicable only when using user space based MLME/SME in AP mode, i.e.,
when hostapd (or wpa_supplicant when controlling AP mode) would process
authentication and association management frames. This condition would
be applicable mainly with drivers that use mac80211.
Possible mitigation steps
- Merge the following commit to wpa_supplicant/hostapd and rebuild:
AP: Silently ignore management frame from unexpected source address
This patch is available from https://w1.fi/security/2019-7/
- Update to wpa_supplicant/hostapd v2.10 or newer, once available
This will avoid breaking the build whenever a non-major kernel update
happens. In the update script, we map each kernel version to the latest
patch for the latest kernel version less than or equal to what we
have packaged.
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.
The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
We don't currently have tests to ensure it works and keeps working.
So instead of having it accidentially working, and possibly breaking it
in the future, disable it for now.
The previous patch just removed a `ConditionFileNotEmpty=…` line from
`kmod-static-nodes.service` referring to a location not existing on
NixOS. We know better, and can actually replace this Condition to point
to `run/booted-system/kernel-modules/lib/modules/%v/`, instead of just
patching it out.
This was simply undoing a hunk from
0008-Don-t-try-to-unmount-nix-or-nix-store.patch, so drop that one from
there and omit
0017-Fix-mount-option-x-initrd.mount-handling-35268-16.patch entirely.
These patches removed logic in the meson install phase invoking
`journalctl --update-catalog` and `systemd-hwdb update`, which would
mutate the running system, and obviously fails in the sandbox.
Upstream also knows this is a bad thing if you're not on the machine you
want to deploy to, so there's logic in there to not execute it when
DESTDIR isn't empty. In our case, it is - as we set --prefix instead for
other reasons, but by just setting DESTIDIR to "/", we can still trigger
these things to be skipped.
The patches removed some context from
0018-Install-default-configuration-into-out-share-factory.patch, which
we need to introduce there to make that patch still apply.
After patching, this produces exactly the same source code as in our
custom fork, but having the actual patches inlined inside nixpkgs makes
it easier to get rid of them.
In case more complicated rebasing is necessary, maintainers can
- Clone the upstream systemd/systemd[-stable] repo
- Checkout the current rev mentioned in src
- Apply the patches from this folder via `git am 00*.patch`
- Rebase the repo on top of a new version
- Export the patch series via `git format-patch $newVersion`
- Update the patches = [ … ] attribute (if necessary)
The documentation says this should be a list, and it already is in
about half the expressions that set it.
The difference doesn't matter at present, because these values are all
space-free literals. But it will in a future with __structuredAttrs .
(The similar attr stripAllList has no users in the nixpkgs tree, so
there's nothing to do to fix any of those up.)
They will be installed now and we can provide $HOSTCC for
cross-compilation.
New files:
+lib/tc/experimental.dist
+lib/tc/normal.dist
+lib/tc/pareto.dist
+lib/tc/paretonormal.dist
Note: The distributions are generated in a reproducible way.
Co-Authored-By: Benjamin Saunders <ben.e.saunders@gmail.com>
"Not a lot of changes in this release, most are related to fixing output
formatting and documentation." [0]
File changes (additions/removals):
+share/man/man8/tc-ets.8.gz
+share/man/man8/tc-fq_pie.8.gz
nix path-info -S:
5.5.0 51509616
5.6.0 51528680
[0]: https://marc.info/?l=linux-netdev&m=158585608413591
With the fix in kernel configuration merging, some kernel configuration items
marked as mandatory now correctly trigger an error when unused (while they
previously were unused).
Most of the skaware packages already build just fine with pkgsStatic,
however the wrapper scripts for execline and stdnotify-wrapper needed
the `-lskarlib` argument to go at the end.
`utmps` and `nsss` still fail with this error:
```
exec ./tools/install.sh -D -m 600 utmps-utmpd /bin/utmps-utmpd
/build/utmps-0.0.3.1/tools/install.sh: line 48: can't create /bin/utmps-utmpd.tmp.479: Permission denied
make: *** [Makefile:121: /bin/utmps-utmpd] Error 1
```
Hello,
New versions of all the skarnet.org packages are available.
This is mostly a bugfix release (there was an installation bug in
some circumstances with shared libraries) but some packages, notably
execline and s6, have new, useful features.
The new versions are the following:
skalibs-2.9.2.0
nsss-0.0.2.2
utmps-0.0.3.2
execline-2.6.0.0
s6-2.9.1.0
s6-rc-0.5.1.2
s6-linux-init-1.0.4.0
s6-dns-2.3.2.0
s6-networking-2.3.1.2
s6-portable-utils-2.2.2.2
s6-linux-utils-2.5.1.2
mdevd-0.1.1.2
bcnm-0.0.1.0
Here are details for the packages that have more than bugfixes:
* skalibs-2.9.2.0
---------------
- New header: skalibs/bigkv.h. It's a set of functions allowing
efficient lookups in a large set of strings (typically read from the
command line or the environment).
https://skarnet.org/software/skalibs/
git://git.skarnet.org/skalibs
* execline-2.6.0.0
----------------
- It's a major release because an API has been modified: dollarat.
Beforehand, dollarat's -0 option would always prevail over any -d
option. Now, dollarat has its conflicting -0 and -d options handled
in the conventional way, with rightmost priority.
- The runblock program now accepts a command line prefix, which is
given as runblock's own command line. This allows blocks to serve as
arguments to a new command, instead of having to be full command lines
by themselves.
- New binary: posix-umask.
- The former "cd" program is now named "execline-cd" and the former
"umask" program is named "execline-umask". When the=20
--enable-pedantic-posix
option is not given at configure time, "cd" and "umask" are symbolic
links created at installation time and pointing to execline-cd and
execline-umask respectively. When the --enable-pedantic-posix option is
given, the symbolic links point to posix-cd and posix-umask instead.
- With posix-cd and posix-umask (and the changes to wait done in the
previous version), execline is now fully POSIX-compliant when built with
the --enable-pedantic-posix option. This will certainly, without the
slightest hint of a doubt, change distributions' attitudes about it.
https://skarnet.org/software/execline/
git://git.skarnet.org/execline
* s6-2.9.1.0
----------
- A new '?' directive has been added to s6-log. It behaves exactly like
'!', except that it spawns the given processor with /bin/sh as an
interpreter instead of execlineb.
- execline support is now optional: it can be disabled by specifying
--disable-execline at configure time. Some functionality is unavailable
when execline support is disabled:
* s6-log's '!' directive
* s6-notifyoncheck's -c option
* s6-ipcserver-access's support for 'exec' directives in a ruleset
- A new -X option has been added to s6-svscan, to specify a descriptor
that will be passed as stderr to a service spawned by this s6-svscan and
named s6-svscan-log. This is used in the new s6-linux-init, to avoid
needing to hardcode the /dev/console name for the catch-all logger's
standard error.
- On systems that define SIGPWR and SIGWINCH, s6-svscan -s now diverts
those signals. This allows powerfail and kbrequest events to be handled
when s6-svscan runs as process 1.
https://skarnet.org/software/s6/
git://git.skarnet.org/s6
* s6-linux-init-1.0.4.0
---------------------
- New options have been added to s6-linux-init-maker: to support
running s6-linux-init without a catch-all logger, and to support running
it in a container.
- s6-linux-init-maker now adds a SIGPWR handler to the default image:
on receipt of a SIGPWR, the system's shutdown procedure is triggered.
- s6-linux-init now handles kbrequest, which triggers a SIGWINCH in
init when a special, configurable set of keys is pressed. By default,
no SIGWINCH handler is declared in the image, and no set of keys is
bound to kbrequest.
https://skarnet.org/software/s6-linux-init/
git://git.skarnet.org/s6-linux-init
* s6-dns-2.3.2.0
--------------
- New library: libdcache, implementing a clean cache structure
to contain DNS data. It's still not used at the moment.
https://skarnet.org/software/s6-dns/
git://git.skarnet.org/s6-dns
* bcnm-0.0.1.0
------------
- First numbered release, because the Ad=C3=A9lie Linux distribution,
which uses libwpactrl, needs an official release instead of pulling
from git.
- libwpactrl is a set of C functions helping control a wpa_supplicant
process.
- bcnm-waitif is a binary that waits for network interface state
events such as appearance/disappearance, up/down, running/not-running.
It is useful to avoid race conditions during a boot sequence, for
instance.
https://skarnet.org/software/bcnm/
git://git.skarnet.org/bcnm
Enjoy,
Bug-reports welcome.
--
Laurent
Since we select everything as a module, snd_hda_codec_ca0132 is built as
well. DSP loading is not enabled by default, but without it the
soundcard produces timeouts within ALSA and does not emit sound.
Explicitly enable the firmware loading to ensure Soundblaster
Z/Zx/ZxR/Recon devices can be used with NixOS.
The patch to enable this by default in the kernel is staged for 5.8.
This will switch the default TCP congestion control algorithm from
new Reno to CUBIC. CUBIC is the default since Linux kernel 2.6.19
(see 597811ec167fa) and most (all?) distributions keep this default
(e.g. Debian and Ubuntu). On NixOS the default was still new Reno
because generate-config.pl changes TCP_CONG_CUBIC from y to m (since we
try to build everything as a module by default).
To check the active and available algorithms:
$ sysctl net.ipv4.tcp_congestion_control
net.ipv4.tcp_congestion_control = cubic
$ sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = cubic reno
Note: E.g. x86_64_defconfig sets TCP_CONG_CUBIC=y indirectly via
CONFIG_TCP_CONG_ADVANCED=y (but CUBIC is also the default if set to no,
see net/ipv4/Kconfig).
CONFIG_IP_MULTIPLE_TABLES is part of the default x86 kernel config but
absent from the Aarch64 one. Adding explicitely this flag together
with its dependency IP_ADVANCED_ROUTER.
Both of these config flags are needed to use the routing policy
facilities.
There have been a couple of patches floating around for about the last
18 months. While they originated with FreeBSD, but they've been
adopted by Gentoo and Debian as well---and the most straightforward
way to get access to them was from the Debian repository.
This bumps to the latest state of the systemd 242 stable, published at
https://github.com/systemd/systemd-stable/tree/v243-stable.
Should cover CVE-2020-1712.
Git Log:
f8dd0f2f15 (tag: v243.7, systemd-stable/v243-stable) Revert "Support Plugable UD-PRO8 dock"
1a5428c2ab hibernate-resume-generator: wait "infinitely" for the resume device
eb3148c468 (tag: v243.6) hwdb: update to v245-rc1
f14fa558ae Fix typo in function name
fb21e13e8e polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it
2e504c92d1 sd-bus: introduce API for re-enqueuing incoming messages
4d80c8f158 polkit: use structured initialization
54791aff01 polkit: on async pk requests, re-validate action/details
81532beddc polkit: reuse some common bus message appending code
4441844d58 bus-polkit: rename return error parameter to ret_error
31a1d569db shared: split out polkit stuff from bus-util.c → bus-polkit.c
560eb5babf test: adapt to the new capsh format
275b266bde meson: update efi path detection to gnu-efi-3.0.11
9239154545 presets: "disable" all passive targets by default
a827c41851 shared/sysctl-util: normalize repeated slashes or dots to a single value
fb1bfd6804 dhcp6: do not use T1 and T2 longer than one provided by the lease
ca43a515c6 network: fix implicit type conversion warning by GCC-10
421eca7edf bootspec: parse random-seed-mode line in loader.conf
34e21fc6de sd-boot: fix typo
df7b3a05c9 test: Synchronize journal before reading from it
9326efee71 sd-bus: fix introspection bug in signal parameter names
7bbdc56aaf efi: fix build.
486f8ca365 generator: order growfs for the root fs after systemd-remount-fs
56d442e29d loginctl: use /org/freedesktop/login1/session/auto when "lock-session" is called without argument
6ed1152282 Documentation update for x-systemd.{before,after}
dba3efa34a man: fix typo in systemd.netdev Xfrm example
6f9a8621d8 timesyncd: log louder when we refuse a server due to root distance
0637255d3b resolved: drop DNSSEC root key that is not valid anymore
9a135baa40 journal: don't use startswith() on something that is not a NUL-terminated string
1ff3972a0f test: add test for https://github.com/systemd/systemd/issues/14560
cac79b606b core: make sure StandardInput=file: doesn't get dup'ed to stdout/stderr by default
906ba9a67d pkgconf: add full generator paths
01b93e2c68 tree-wide: we forgot to destroy some bus errors
5c9455657e mount: make checks on perpetual mount units more lax
28c58beca1 core: never allow perpetual units to be masked
d3b044b3e7 typo: "May modify to" -> "May modify"
fd378d3d3c sysctl: downgrade message when we have no permission
db4fbf5c61 Clarify journald.conf MaxLevelStore documentation
c8365f71c0 logind: refuse overriding idle hint on tty sessions
cd91f567b6 cgroup: update only siblings that got realized once
c672dcd212 mount: mark an existing "mounting" unit from /proc/self/mountinfo as "just_mounted"
a592a40564 journalctl: Correctly handle combination of --reverse and --lines (fixes#1596)
0aa144ab1d journalctl: Correctly handle --show-cursor in combination with --until or --since and --reverse
3b803a5e66 core: fix re-realization of cgroup siblings
7549dd40fc core: propagate service state to socket in more load states
af6df343b2 man: describe "symlink" and "systemctl link" explicitly in UNIT FILE LOAD PATH
a3c1ce25a7 core: be more restrictive on the dependency types we allow to be created transiently
2b9ec8384c udev: don't import parent ID_FS_ data on partitions
ecd95c507c man: fix option name
0d4f06156b Support Plugable UD-PRO8 dock
7fba869abd gpt-auto: don't assume XBOOTLDR is vfat
494c281b67 man: fix documentation of IBM VIO device naming
7271fb056a man: slightly extend documentation on difference between ID_NET_NAME_ONBOARD and ID_NET_LABEL_ONBOARD
852ae28e68 boot: fix osrel parser
2613200370 udev: do not use exact match of file permission
46477397c1 network: lower the log-level of harmless message
7163b1fe86 hwdb: ignore keys added in kernel 5.5
92f90837dc systemctl: skip non-existent units in the 'cat' verb
a67227cc99 systemd.exec: document the file system for EnvironmentFile paths
cfb4c0aca5 systemd-analyze: fixed typo in documentation
017fddd998 test-condition: fix group check condition
9d5e3cb774 umount: show correct error message
252f1a5277 Revert "Drop dbus activation stub service"
20bbfac95e man: add section about user manager units
c93ef60212 man: add remote-*.targets to the bootup sequence
55e0f99689 time-util: also use 32bit hack on EOVERFLOW
7afe2ecb02 [man] note which UID ranges will get user journals
a43b67a4c9 [man] fix URL
dedb26a8d6 analyze: badness if neither of RootImage and RootDirectory exists
714c93862a initrd: make udev cleanup service confict trigger and settle too
8932407ae1 man: we support growing xfs too these days
19af11dc07 time-util: deal with systems where userspace has 64bit time_t but kernel does not
c90229d81d [import] fix stdin/stdout pipe behavior in import/export tar/raw
39910328da cryptsetup-generator: unconfuse writing of the device timeout
fc5e6c87a4 shared/install: log syntax error for invalid DefaultInstance=
409c94a407 shared/install: provide a nicer error message for invalid WantedBy=/Required= values
70e8c1978a seccomp: real syscall numbers are >= 0
a0a1977d9a seccomp: more comprehensive protection against libseccomp's __NR_xyz namespace invasion
7f936c60d5 network: set ipv6 mtu after link-up or device mtu change
b59d88cc62 man: fix typo in net-naming-scheme man page
c5e5ac0958 man: fix typos (#14304)
9a2f26564d ipv4ll: do not reset conflict counter on restart
bc9e1ebfdd Fix typo (duplicate "or")
c6cb71b7e7 network: if /sys is rw, then udev should be around
67dcdfd956 nspawn: do not fail if udev is not running
a7938a1bc6 Create parent directories when creating systemd-private subdirs
53aa44f873 network: do not return error but return UINT64_MAX if speed meter is disabled
65abf12674 core: swap priority can be negative
b1cf452ff5 systemctl: enhance message about kexec missing kernel
07a0e5b425 man: use mkswap@ instead of makeswap@
57dc017c6b journald: don't ask for the machine ID if we don't need it
ac392a57c0 journalctl: pager_close() calls fflush(stdout) anyway as first thing
ee7dfadc82 journald: remove unused field
471073f1b5 journalctl: return EOPNOTSUPP if pcre is not enabled
002ededb61 man: drop reference to machined, add one for journald instead
fd3bd4be3b pid1: make TimeoutAbortSec settable for transient units
eb2ef4d664 pid1: fix setting of DefaultTimeoutAbortSec
1d75e29b23 shared/ask-password-api: modify keyctl break value
a16b1ee7e5 cryptsetup: reduce the chance that we will be OOM killed
4836fb010a core: write out correct field name when creating transient service units
3e2c547f6d udevd: don't use monitor after manager_exit()
d42f7d45a8 Revert "udevd: fix crash when workers time out after exit is signal caught"
c9a287eee8 man/systemd.link: Add missing verb *be*
a67a3ae04b man: document all pager variables for systemctl and systemd
3a8fce3f38 core.timer: fix "systemd-analyze dump" and docs syntax inconsistencies wrt OnTimezoneChange=
fdffd284b6 core/service: downgrade "scheduling restart" message to debug
733e7f19d3 travis: add missing closing quote sign
0d7b7817fc systemd-tmpfiles: don't install timer when service isn't installed either
0e7f83cd2b pam_systemd: prolong method call timeout when allocating session