Linux Fixes 5 Gaping Holes in Wi-Fi
Linux’s Wi-Fi code has some nasty bugs, which can be exploited simply by being near an attacker. Remote code execution is a possibility—no need to actually connect to a malicious Wi-Fi network.
They’ve been there for more than three years, and are caused by our old friend: Memory-unsafe C code. What other nasties lurk in the open source kernel powering billions of phones, routers and IoT devices?
Some say it’s the fault of Linus Torvalds himself (pictured). In today’s SB Blogwatch, we decline to point the finger.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Six months late.
Penguinistas’ Premier Panned
What’s the craic? Michael Larabel reports—“Linux Gets Patched For WiFi Vulnerabilities”:
“Working their way to currently supported Linux”
A set of Linux kernel WiFi stack security issues were made public. … Making these WiFi security issues more problematic is that they can be exploited over-the-air via malicious packets.
…
Linus Torvalds picked up the WiFi security fixes … for the Linux 6.1 merge window. The patches are now working their way to currently supported Linux stable series and in turn should be picked up in those next rounds of point releases over the coming days.
Who discovered it? SUSE’s Marcus Meissner elaborates—“Various Linux Kernel WLAN security issues”:
“Exploitable over the air”
Security Researcher Sönke Huster from Tu Darmstadt … emailed SUSE with a buffer overwrite in the Linux Kernel mac80211 framework triggered by WLAN frames. We delegated the issue to the kernel security folks: … Sönke and Johannes Berg from Intel evaluated and worked on this issue.
During their research they found … more problems in the WLAN stack, exploitable over the air. … I have requested 5 CVEs from Mitre: …
CVE-2022-41674 … -42719 … -42720 … -42721 [and] -42722.
Sounds like Rust language support in the kernel can’t come soon enough. u/Jannik2099 is not a happy camper:
“Torvalds repeatedly shot down”
We have had many techniques to mitigate memory errors even before Rust, such as: FORTIFY_SOURCE, -Warray-bounds, respecting -fdelete-null-pointer-checks and -fstrict-aliasing. Or using a language less prone to errors, such as C++.
…
To be clear, these mitigations … won’t magically make the world memory safe. However they retroactively affect all existing code.
…
Torvalds repeatedly shot down all of those options … because he didn’t consider it necessary or worth the effort. … The majority of userspace implements these techniques, only Linux doesn’t.
Use-after-free bugs in the kernel? Heed boricj’s rant:
Can we please stop running network drivers and network stacks in kernel mode? … It’s 2022 and we’ve got more than enough compute power: … The performance hit for running these in user-land is negligible.
…
Smartphone, tablet or laptop users usually do not need the level of performance that requires running that stuff in the kernel when browsing the web. … There are some use cases where performance really matters to the point where kernel network stack and drivers make a difference … but that should not be the default.
How long have these bugs been in there? I see cesarb and eknoe know: [You’re fired—Ed.]
It seems the commits being fixed are from the first quarter of 2019. … Most of the vulnerabilities were introduced in 5.1/5.2.
Check your firewall? u/londons_explorer shakes his head:
Remotely exploitable without even being on the same network. Firewalls won’t help you.
…
That’s pretty much as bad as it gets. It would theoretically be possible to write a worm which spreads from machine to machine via wifi with these exploits, and it would probably have infected most of the world within a few days.
Sky falling? It’ll soon be patched. But, as Lysius points out, it’s not just about PCs:
Patching this on normal desktop systems is relatively simple. But … this will lead to exploits against embedded devices like wireless access points or routers—for years to come.
Meanwhile, xani_ sounds sarcastically sanguine:
Eh, it didn’t get a cutesy name like BadWiFi—won’t be that bad.
And Finally:
Google Japan does April fool’s in October
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: laboratorio linux
(cc:by-nc-sa; leveled and cropped)
