Bug 256118 - [net80211] [patch]: reject mixed plaintext/encrypted fragments
Summary: [net80211] [patch]: reject mixed plaintext/encrypted fragments
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: wireless (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Bjoern A. Zeeb
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-24 13:12 UTC by Mathy
Modified: 2022-03-15 18:17 UTC (History)
1 user (show)

See Also:


Attachments
patch: git diff file (5.98 KB, patch)
2021-05-24 13:12 UTC, Mathy
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mathy 2021-05-24 13:12:58 UTC
Created attachment 225220 [details]
patch: git diff file

FreeBSD accepts fragmented 802.11 frames in a protected Wi-Fi network even when some of the fragments were not encrypted. This corresponds to CVE-2020-26147 of the "FragAttacks" research. For background see Section 6.3 in https://papers.mathyvanhoef.com/usenix2021.pdf

This vulnerability can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "ping I,P,E" and/or "ping I,P,E" (the transmitted ping request should be rejected by the kernel).

The attached patches fixes this vulnerability. It was tested using a Belkin F5D8053 (run driver) in client mode. I'm not sure if I'm using the best way to track whether a fragment was encrypted, but it gets the job done with a low number of code changes.

FYI: I've submitted a similar patch to NetBSD: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=56204
Comment 1 Bjoern A. Zeeb freebsd_committer freebsd_triage 2021-06-06 22:43:14 UTC
Thanks for all the work and submitting the patches.

I have uploaded them to our review system (given they are public).
This one is here:
https://reviews.freebsd.org/D30663
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-09-30 14:50:35 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55

commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55
Author:     Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
AuthorDate: 2021-06-06 22:10:41 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2021-09-30 14:47:41 +0000

    net80211: reject mixed plaintext/encrypted fragments

    ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
    network even when some of the fragments are not encrypted.
    Track whether the fragments are encrypted or not and only accept
    successive ones if they match the state of the first fragment.

    This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
    and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
    paper.

    Submitted by:   Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
    Security:       CVE-2020-26147
    PR:             256118
    Differential Revision: https://reviews.freebsd.org/D30663

 sys/net80211/ieee80211_adhoc.c  |  2 +-
 sys/net80211/ieee80211_hostap.c |  2 +-
 sys/net80211/ieee80211_input.c  | 21 ++++++++++++++++++---
 sys/net80211/ieee80211_input.h  |  2 +-
 sys/net80211/ieee80211_mesh.c   |  2 +-
 sys/net80211/ieee80211_sta.c    |  2 +-
 sys/net80211/ieee80211_wds.c    |  2 +-
 7 files changed, 24 insertions(+), 9 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-11-19 00:04:03 UTC
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=e13d483c5677d12b52f1c81537d54faa85ed43b9

commit e13d483c5677d12b52f1c81537d54faa85ed43b9
Author:     Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
AuthorDate: 2021-06-06 22:10:41 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2021-11-19 00:01:24 +0000

    net80211: reject mixed plaintext/encrypted fragments

    ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
    network even when some of the fragments are not encrypted.
    Track whether the fragments are encrypted or not and only accept
    successive ones if they match the state of the first fragment.

    This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
    and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
    paper.

    Submitted by:   Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
    Security:       CVE-2020-26147
    PR:             256118

    (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55)

 sys/net80211/ieee80211_adhoc.c  |  2 +-
 sys/net80211/ieee80211_hostap.c |  2 +-
 sys/net80211/ieee80211_input.c  | 21 ++++++++++++++++++---
 sys/net80211/ieee80211_input.h  |  2 +-
 sys/net80211/ieee80211_mesh.c   |  2 +-
 sys/net80211/ieee80211_sta.c    |  2 +-
 sys/net80211/ieee80211_wds.c    |  2 +-
 7 files changed, 24 insertions(+), 9 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-02-15 16:05:00 UTC
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=00cd5a2f614ae2cf1daa30cde7f91de9cdde2393

commit 00cd5a2f614ae2cf1daa30cde7f91de9cdde2393
Author:     Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
AuthorDate: 2021-06-06 22:10:41 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-02-15 15:03:09 +0000

    net80211: reject mixed plaintext/encrypted fragments

    ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
    network even when some of the fragments are not encrypted.
    Track whether the fragments are encrypted or not and only accept
    successive ones if they match the state of the first fragment.

    This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
    and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
    paper.

    Submitted by:   Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
    Security:       CVE-2020-26147
    PR:             256118

    (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55)
    (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9)

 sys/net80211/ieee80211_adhoc.c  |  2 +-
 sys/net80211/ieee80211_hostap.c |  2 +-
 sys/net80211/ieee80211_input.c  | 21 ++++++++++++++++++---
 sys/net80211/ieee80211_input.h  |  2 +-
 sys/net80211/ieee80211_mesh.c   |  2 +-
 sys/net80211/ieee80211_sta.c    |  2 +-
 sys/net80211/ieee80211_wds.c    |  2 +-
 7 files changed, 24 insertions(+), 9 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-03-15 18:14:31 UTC
A commit in branch releng/13.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=cf15ab553dd0dabd8718995aedbe90e3ff0bc7e1

commit cf15ab553dd0dabd8718995aedbe90e3ff0bc7e1
Author:     Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
AuthorDate: 2021-06-06 22:10:41 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-03-15 17:43:54 +0000

    net80211: reject mixed plaintext/encrypted fragments

    ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
    network even when some of the fragments are not encrypted.
    Track whether the fragments are encrypted or not and only accept
    successive ones if they match the state of the first fragment.

    This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
    and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
    paper.

    Submitted by:   Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
    Security:       CVE-2020-26147
    PR:             256118

    (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55)
    (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9)

    Approved by:    so
    Security:       FreeBSD-SA-22:02.wifi

 sys/net80211/ieee80211_adhoc.c  |  2 +-
 sys/net80211/ieee80211_hostap.c |  2 +-
 sys/net80211/ieee80211_input.c  | 21 ++++++++++++++++++---
 sys/net80211/ieee80211_input.h  |  2 +-
 sys/net80211/ieee80211_mesh.c   |  2 +-
 sys/net80211/ieee80211_sta.c    |  2 +-
 sys/net80211/ieee80211_wds.c    |  2 +-
 7 files changed, 24 insertions(+), 9 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2022-03-15 18:16:38 UTC
A commit in branch releng/12.3 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=060c556da720145912ac79f67e91ef656f74a78b

commit 060c556da720145912ac79f67e91ef656f74a78b
Author:     Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
AuthorDate: 2021-06-06 22:10:41 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-03-15 18:16:01 +0000

    net80211: reject mixed plaintext/encrypted fragments

    ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
    network even when some of the fragments are not encrypted.
    Track whether the fragments are encrypted or not and only accept
    successive ones if they match the state of the first fragment.

    This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
    and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
    paper.

    Submitted by:   Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
    Security:       CVE-2020-26147
    PR:             256118

    (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55)
    (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9)
    (cherry picked from commit 00cd5a2f614ae2cf1daa30cde7f91de9cdde2393)

    Approved by:    so
    Security:       FreeBSD-SA-22:02.wifi

 sys/net80211/ieee80211_adhoc.c  |  2 +-
 sys/net80211/ieee80211_hostap.c |  2 +-
 sys/net80211/ieee80211_input.c  | 21 ++++++++++++++++++---
 sys/net80211/ieee80211_input.h  |  2 +-
 sys/net80211/ieee80211_mesh.c   |  2 +-
 sys/net80211/ieee80211_sta.c    |  2 +-
 sys/net80211/ieee80211_wds.c    |  2 +-
 7 files changed, 24 insertions(+), 9 deletions(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-03-15 18:17:42 UTC
A commit in branch releng/12.2 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a780210457fe7448c6f4cdd81578f377974b2925

commit a780210457fe7448c6f4cdd81578f377974b2925
Author:     Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
AuthorDate: 2021-06-06 22:10:41 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-03-15 17:40:34 +0000

    net80211: reject mixed plaintext/encrypted fragments

    ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
    network even when some of the fragments are not encrypted.
    Track whether the fragments are encrypted or not and only accept
    successive ones if they match the state of the first fragment.

    This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
    and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
    paper.

    Submitted by:   Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
    Security:       CVE-2020-26147
    PR:             256118

    (cherry picked from commit 11572d7d7fb9802ceb46ea9dc6cbe3bb95373e55)
    (cherry picked from commit e13d483c5677d12b52f1c81537d54faa85ed43b9)
    (cherry picked from commit 00cd5a2f614ae2cf1daa30cde7f91de9cdde2393)

    Approved by:    so
    Security:       FreeBSD-SA-22:02.wifi

 sys/net80211/ieee80211_adhoc.c  |  2 +-
 sys/net80211/ieee80211_hostap.c |  2 +-
 sys/net80211/ieee80211_input.c  | 21 ++++++++++++++++++---
 sys/net80211/ieee80211_input.h  |  2 +-
 sys/net80211/ieee80211_mesh.c   |  2 +-
 sys/net80211/ieee80211_sta.c    |  2 +-
 sys/net80211/ieee80211_wds.c    |  2 +-
 7 files changed, 24 insertions(+), 9 deletions(-)