Created attachment 225221 [details] patch: git diff file FreeBSD is also affected by the A-MSDU design flaw in Wi-Fi (CVE-2020-24588). For background see Section 3 in https://papers.mathyvanhoef.com/usenix2021.pdf This vulnerability can be reproduced using the FragAttack test tool at https://github.com/vanhoefm/fragattacks with the test case "amsdu-inject-bad" (the injected ping request should be rejected by the kernel). The attached patches fixes this vulnerability. It was tested using a Belkin F5D8053 (run driver) in client mode.
This one is here: https://reviews.freebsd.org/D30664
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f024bdf1155f36d2d8c4caa533b66e4040c4c469 commit f024bdf1155f36d2d8c4caa533b66e4040c4c469 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2021-09-30 14:50:45 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 Differential Revision: https://reviews.freebsd.org/D30664 sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=41ca1d50a8657959df2009daa300dda56a090d5e commit 41ca1d50a8657959df2009daa300dda56a090d5e Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Bjoern A. Zeeb <bz@FreeBSD.org> CommitDate: 2021-11-19 00:01:24 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=76ee776f4d9f146f7a97ac9bab388c51a1c787c9 commit 76ee776f4d9f146f7a97ac9bab388c51a1c787c9 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-02-14 20:26:46 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) (cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e) sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-)
A commit in branch releng/13.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7ba07a1452a82c3cbe696c3dfd162cc76c168dda commit 7ba07a1452a82c3cbe696c3dfd162cc76c168dda Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 17:45:11 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) (cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-)
A commit in branch releng/12.3 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5616c3920f8a6a5792f23c1975780f4b54888aa1 commit 5616c3920f8a6a5792f23c1975780f4b54888aa1 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 17:47:01 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) (cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e) (cherry picked from commit 76ee776f4d9f146f7a97ac9bab388c51a1c787c9) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-)
A commit in branch releng/12.2 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ae6d654f4fa167f473a40417479e607029670679 commit ae6d654f4fa167f473a40417479e607029670679 Author: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> AuthorDate: 2021-06-06 22:10:52 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-03-15 17:39:02 +0000 net80211: mitigation against A-MSDU design flaw Mitigate A-MSDU injection attacks by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation) paper. Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be) Security: CVE-2020-24588 PR: 256119 (cherry picked from commit f024bdf1155f36d2d8c4caa533b66e4040c4c469) (cherry picked from commit 41ca1d50a8657959df2009daa300dda56a090d5e) (cherry picked from commit 76ee776f4d9f146f7a97ac9bab388c51a1c787c9) Approved by: so Security: FreeBSD-SA-22:02.wifi sys/net80211/ieee80211_adhoc.c | 2 +- sys/net80211/ieee80211_hostap.c | 2 +- sys/net80211/ieee80211_input.c | 20 ++++++++++++++++++-- sys/net80211/ieee80211_input.h | 3 ++- sys/net80211/ieee80211_sta.c | 2 +- sys/net80211/ieee80211_wds.c | 2 +- 6 files changed, 24 insertions(+), 7 deletions(-)