AP mode PMF disconnection protection bypass
Published: September 11, 2019
Identifiers:
- CVE-2019-16275
Latest version available from: https://w1.fi/security/2019-7/
Vulnerability
hostapd (and wpa_supplicant when controlling AP mode) did not perform
sufficient source address validation for some received Management frames
and this could result in ending up sending a frame that caused
associated stations to incorrectly believe they were disconnected from
the network even if management frame protection (also known as PMF) was
negotiated for the association. This could be considered to be a denial
of service vulnerability since PMF is supposed to protect from this type
of issues. It should be noted that if PMF is not enabled, there would be
no protocol level protection against this type of denial service
attacks.
An attacker in radio range of the access point could inject a specially
constructed unauthenticated IEEE 802.11 frame to the access point to
cause associated stations to be disconnected and require a reconnection
to the network.
Vulnerable versions/configurations
All hostapd and wpa_supplicants versions with PMF support
(CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
PMF being enabled (optional or required). In addition, this would be
applicable only when using user space based MLME/SME in AP mode, i.e.,
when hostapd (or wpa_supplicant when controlling AP mode) would process
authentication and association management frames. This condition would
be applicable mainly with drivers that use mac80211.
Possible mitigation steps
- Merge the following commit to wpa_supplicant/hostapd and rebuild:
AP: Silently ignore management frame from unexpected source address
This patch is available from https://w1.fi/security/2019-7/
- Update to wpa_supplicant/hostapd v2.10 or newer, once available
This will avoid breaking the build whenever a non-major kernel update
happens. In the update script, we map each kernel version to the latest
patch for the latest kernel version less than or equal to what we
have packaged.
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.
The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
We don't currently have tests to ensure it works and keeps working.
So instead of having it accidentially working, and possibly breaking it
in the future, disable it for now.
The previous patch just removed a `ConditionFileNotEmpty=…` line from
`kmod-static-nodes.service` referring to a location not existing on
NixOS. We know better, and can actually replace this Condition to point
to `run/booted-system/kernel-modules/lib/modules/%v/`, instead of just
patching it out.
This was simply undoing a hunk from
0008-Don-t-try-to-unmount-nix-or-nix-store.patch, so drop that one from
there and omit
0017-Fix-mount-option-x-initrd.mount-handling-35268-16.patch entirely.
These patches removed logic in the meson install phase invoking
`journalctl --update-catalog` and `systemd-hwdb update`, which would
mutate the running system, and obviously fails in the sandbox.
Upstream also knows this is a bad thing if you're not on the machine you
want to deploy to, so there's logic in there to not execute it when
DESTDIR isn't empty. In our case, it is - as we set --prefix instead for
other reasons, but by just setting DESTIDIR to "/", we can still trigger
these things to be skipped.
The patches removed some context from
0018-Install-default-configuration-into-out-share-factory.patch, which
we need to introduce there to make that patch still apply.
After patching, this produces exactly the same source code as in our
custom fork, but having the actual patches inlined inside nixpkgs makes
it easier to get rid of them.
In case more complicated rebasing is necessary, maintainers can
- Clone the upstream systemd/systemd[-stable] repo
- Checkout the current rev mentioned in src
- Apply the patches from this folder via `git am 00*.patch`
- Rebase the repo on top of a new version
- Export the patch series via `git format-patch $newVersion`
- Update the patches = [ … ] attribute (if necessary)
The documentation says this should be a list, and it already is in
about half the expressions that set it.
The difference doesn't matter at present, because these values are all
space-free literals. But it will in a future with __structuredAttrs .
(The similar attr stripAllList has no users in the nixpkgs tree, so
there's nothing to do to fix any of those up.)
They will be installed now and we can provide $HOSTCC for
cross-compilation.
New files:
+lib/tc/experimental.dist
+lib/tc/normal.dist
+lib/tc/pareto.dist
+lib/tc/paretonormal.dist
Note: The distributions are generated in a reproducible way.
Co-Authored-By: Benjamin Saunders <ben.e.saunders@gmail.com>
"Not a lot of changes in this release, most are related to fixing output
formatting and documentation." [0]
File changes (additions/removals):
+share/man/man8/tc-ets.8.gz
+share/man/man8/tc-fq_pie.8.gz
nix path-info -S:
5.5.0 51509616
5.6.0 51528680
[0]: https://marc.info/?l=linux-netdev&m=158585608413591
Most of the skaware packages already build just fine with pkgsStatic,
however the wrapper scripts for execline and stdnotify-wrapper needed
the `-lskarlib` argument to go at the end.
`utmps` and `nsss` still fail with this error:
```
exec ./tools/install.sh -D -m 600 utmps-utmpd /bin/utmps-utmpd
/build/utmps-0.0.3.1/tools/install.sh: line 48: can't create /bin/utmps-utmpd.tmp.479: Permission denied
make: *** [Makefile:121: /bin/utmps-utmpd] Error 1
```
Hello,
New versions of all the skarnet.org packages are available.
This is mostly a bugfix release (there was an installation bug in
some circumstances with shared libraries) but some packages, notably
execline and s6, have new, useful features.
The new versions are the following:
skalibs-2.9.2.0
nsss-0.0.2.2
utmps-0.0.3.2
execline-2.6.0.0
s6-2.9.1.0
s6-rc-0.5.1.2
s6-linux-init-1.0.4.0
s6-dns-2.3.2.0
s6-networking-2.3.1.2
s6-portable-utils-2.2.2.2
s6-linux-utils-2.5.1.2
mdevd-0.1.1.2
bcnm-0.0.1.0
Here are details for the packages that have more than bugfixes:
* skalibs-2.9.2.0
---------------
- New header: skalibs/bigkv.h. It's a set of functions allowing
efficient lookups in a large set of strings (typically read from the
command line or the environment).
https://skarnet.org/software/skalibs/
git://git.skarnet.org/skalibs
* execline-2.6.0.0
----------------
- It's a major release because an API has been modified: dollarat.
Beforehand, dollarat's -0 option would always prevail over any -d
option. Now, dollarat has its conflicting -0 and -d options handled
in the conventional way, with rightmost priority.
- The runblock program now accepts a command line prefix, which is
given as runblock's own command line. This allows blocks to serve as
arguments to a new command, instead of having to be full command lines
by themselves.
- New binary: posix-umask.
- The former "cd" program is now named "execline-cd" and the former
"umask" program is named "execline-umask". When the=20
--enable-pedantic-posix
option is not given at configure time, "cd" and "umask" are symbolic
links created at installation time and pointing to execline-cd and
execline-umask respectively. When the --enable-pedantic-posix option is
given, the symbolic links point to posix-cd and posix-umask instead.
- With posix-cd and posix-umask (and the changes to wait done in the
previous version), execline is now fully POSIX-compliant when built with
the --enable-pedantic-posix option. This will certainly, without the
slightest hint of a doubt, change distributions' attitudes about it.
https://skarnet.org/software/execline/
git://git.skarnet.org/execline
* s6-2.9.1.0
----------
- A new '?' directive has been added to s6-log. It behaves exactly like
'!', except that it spawns the given processor with /bin/sh as an
interpreter instead of execlineb.
- execline support is now optional: it can be disabled by specifying
--disable-execline at configure time. Some functionality is unavailable
when execline support is disabled:
* s6-log's '!' directive
* s6-notifyoncheck's -c option
* s6-ipcserver-access's support for 'exec' directives in a ruleset
- A new -X option has been added to s6-svscan, to specify a descriptor
that will be passed as stderr to a service spawned by this s6-svscan and
named s6-svscan-log. This is used in the new s6-linux-init, to avoid
needing to hardcode the /dev/console name for the catch-all logger's
standard error.
- On systems that define SIGPWR and SIGWINCH, s6-svscan -s now diverts
those signals. This allows powerfail and kbrequest events to be handled
when s6-svscan runs as process 1.
https://skarnet.org/software/s6/
git://git.skarnet.org/s6
* s6-linux-init-1.0.4.0
---------------------
- New options have been added to s6-linux-init-maker: to support
running s6-linux-init without a catch-all logger, and to support running
it in a container.
- s6-linux-init-maker now adds a SIGPWR handler to the default image:
on receipt of a SIGPWR, the system's shutdown procedure is triggered.
- s6-linux-init now handles kbrequest, which triggers a SIGWINCH in
init when a special, configurable set of keys is pressed. By default,
no SIGWINCH handler is declared in the image, and no set of keys is
bound to kbrequest.
https://skarnet.org/software/s6-linux-init/
git://git.skarnet.org/s6-linux-init
* s6-dns-2.3.2.0
--------------
- New library: libdcache, implementing a clean cache structure
to contain DNS data. It's still not used at the moment.
https://skarnet.org/software/s6-dns/
git://git.skarnet.org/s6-dns
* bcnm-0.0.1.0
------------
- First numbered release, because the Ad=C3=A9lie Linux distribution,
which uses libwpactrl, needs an official release instead of pulling
from git.
- libwpactrl is a set of C functions helping control a wpa_supplicant
process.
- bcnm-waitif is a binary that waits for network interface state
events such as appearance/disappearance, up/down, running/not-running.
It is useful to avoid race conditions during a boot sequence, for
instance.
https://skarnet.org/software/bcnm/
git://git.skarnet.org/bcnm
Enjoy,
Bug-reports welcome.
--
Laurent
Since we select everything as a module, snd_hda_codec_ca0132 is built as
well. DSP loading is not enabled by default, but without it the
soundcard produces timeouts within ALSA and does not emit sound.
Explicitly enable the firmware loading to ensure Soundblaster
Z/Zx/ZxR/Recon devices can be used with NixOS.
The patch to enable this by default in the kernel is staged for 5.8.