Critical Security Hole in Linux Wi-Fi

thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."

patched already

[yagu (721525)]

So here is a Linux driver problem, a patch is available, though not widely dispersed. The news here is that even in a largely neglected (though it shouldn't be) slice of the Open Source technology, specifically the deadly difficult wi-fi landscape, bugs are found and fixed right away (at least that's the gist of part of the article).

I'm more afraid of the neglected patches MSFT deems behind closed doors as not important enough to reveal to the public. How many zero-day exploits is MSFT discussing behind those closed doors right now, and what are they deciding about the fate of security to my machines?

I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.

(It doesn't seem to fix the other problem... I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore... If I want wireless linux on a laptop, I'm doing via Vmware's bridge. It shouldn't be like this.)

There's more to the world than Microsoft.

[Vellmont (569020)]

It's interesting that people start talking about Microsoft right away in reaction to this hole, as if the only thing that matters here is how this flaw relates to Microsoft.

What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.


I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.

Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with. The larger picture here is that computer security kinda sucks, not that Microsoft is better/worse at it than Linux is.

I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore

Huh. I've had very good luck recently with Ubuntu. The built in wifi in my laptop worked out of the box with Ubuntu, and two other cards I own worked as well.

It hasn't always been like this of course. A couple years ago WiFi support was extremely lacking.

Re:There's more to the world than Microsoft.

[FooBarWidget (556006)]

I think the fact that computer security sucks implies that one of these is true:
1. It just isn't possible to make software ultra-secure and free of vulnerabilities. I.e. you cannot expect *any* piece to be 100% secure, ever.
2. It is possible, but the costs of making software ultra-secure is so high that it's not worth it. Customers would rather pay a lower price for a slightly less secure system than a much larger price for a 100% secure system.

Re:There's more to the world than Microsoft.

[IamTheRealMike (537420)]

3. C/C++ make it really easy to screw up.

Re:There's more to the world than Microsoft.

[TheRaven64 (641858)]

The biggest problem with this kind of thing is not the operating system security model, it's the hardware. A device in most consumer machines can issue DMA requests that allow it to read or write arbitrary addresses in physical memory. No matter how isolated the driver is, the device itself can still poke at your memory. This can be addressed by adding an IOMMU, which allows the kernel to assign a virtual address range to the device, and prevents it from accessing random areas of memory. Once you have this, it's possible to isolate drivers more and impose a good security model on them, but without it, anything you do is a bit pointless.

The good news is that the rise of virtualisation means that IOMMUs are going to become a lot more common in the next few years.

Re:There's more to the world than Microsoft.

[Richard W.M. Jones (591125)]

What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.

You're right. Unfortunately with the current design of PC hardware it's difficult to provide protection from poorly written drivers. For example, it's very common for drivers to be able to (a) initiate DMA transfers to/from any part of physical memory, and (b) lock the PCI bus by messing with the bus arbitration. You can do things like having an exokernel [wikipedia.org] -- small trusted multiplexers go in the kernel and the larger parts of your drivers sit (untrusted) in userspace, but performance generally sucks. Some hardware (eg. graphics cards) makes it hard even to do this.

Luckily virtualisation is driving better solutions, and they're coming to a PC near you soon (in fact, they've already come to the PCs I'm using daily, but those are test articles). Primarily with virtualisation we want to be able to hand off devices to untrusted guest operating systems. For example give each guest its own physical network card. That won't work too well if guests can stomp on each others memory using DMA transfers. The new hardware actually has hardware support to stop the guests doing bad things.

Look at Intel's VT-d [intel.com] for example.

Rich.

Re:patched already

[delire (809063)]

Wireless support on Linux is great if you simply do a little research and don't pick a card that doesn't work. [leenooks.com] You can't take a Linux unfriendly wireless adapter to water and make it drink, so don't waste your time.

Wireless works out-of-the-box (or soon after) - with a recent distribution of Linux - on most laptops these days.

Re:patched already

[QuietLagoon (813062)]

MadWiFi source code can be found here [madwifi.org].

The module in question is found here [madwifi.org]. (slow to load)

Re:patched already

[FauxPasIII (75900)]

> MadWiFi source code can be found here.

Or rather, a small open-source Linux compatibility shim around the actual, binary only driver.

Look further into that link you pasted:

http://madwifi.org/browser/trunk/hal/public [madwifi.org]

Those .uu files are binary objects stored as text, and they make up the majority of the driver. This same binary driver is also used by some of the BSDs, with a different open-source shim.

> The module in question is found here. (slow to load)

Ah, so the flaw is in the open source shim part. Fooey. =/

As an aside, and as I suspect you might already know, there is an effort to replace the binary-only part of that driver with Free software, and the Madwifi people have cooperated as much as they're able. They even host the development in their own repository:

http://madwifi.org/browser/branches/madwifi-old-op enhal [madwifi.org]

Cheers!

Re:Mod parent down

[j35ter (895427)]

Sorry chap, people start bashing on linux (and its users) as soon as any kind of vulnerability is found.
In this case, the vulnerability is in a 3rd party driver and not in the kernel itself. Nevertheless the not-so-techie reader just reads "Linux vulnerability".

Btw. Dont forget that the public is used to hear about Windows vulnerabilities, they dont notice them anymore.

Re:patched already

[el americano (799629)]

Patched quickly, yes, but if the patched driver was released Dec. 7, 2006 then the news that "a flaw was found", is even older than that. On top of that I didn't see mention of an exploit, so the article is a little sensational, but for some reason wireless seems to do that to journalists.

Complex Hack

[dekkerdreyer (1007957)]

Luckily this hack isn't for the ordinary Linux user. The hack requires WPA encryption to be activated. As anyone who uses Linux knows, WPA requires recompiling the kernel, compiling wireless tools, compiling wpasupplicant, recompiling both when you find that the default configuration for wpasupplicant is to not use WPA (wtf?), and finally modifying a handful of cryptic configuration files. Once that's done, WPA is still not likely to work with a particular kernel, hardware, and wireless card combination.

Once again, Linux is safe from such a common attack because only seven people have successfully set up WPA. If this had been a Windows flaw, where every machine natively understands WPA and no work at the command prompt is needed, this would be disastrous.

This shows that Linux has been taking the right stand. By making the machine difficult to get running, it's unlikely that the machine will be able to connect to anything and become infected. Windows made the mistake of making the machine easy to use, allowing for simply network connection and ease of ownership (OWN3D).

Not Overly Complex Hack

[LinuxGeek (6139)]

Humorous, but if someone wants a quick and painless route, check out Ubuntu. I running 7.04 beta on my laptop and wifi works well with my two very different APs in WPA(psk) mode. Installed and working, no tweaking, no manual compiling, no config file fiddling required. After running Linux for 12+ years I am quite happy with the state of Ubuntu.

Tag..

[by Anonymous Coward]

DefectiveByDesign? Oh wait ... wrong OS.

First reported December 2006

[QuietLagoon (813062)]

Here [mitre.org] is a reference to a more informative report.

I am a bit confused...

[Skiron (735617)]

... this was fixed 4 months ago?

http://madwifi.org/changeset/1842 [madwifi.org]

Fixed Dec 15th on my box

[swillden (191260)]

... this was fixed 4 months ago?

It looks that way to me.

Unless this is a different vulnerability, Debian applied the fix [debian.org] over four months ago, two days after the patch was available, and eight days after the vulnerability was first reported [grok.org.uk]

I saw the article and immediately started aptitude to get the fix, only to discover that I already got it, two weeks before Christmas. Nice.

Re:Fixed Dec 15th on my box

[Kjella (173770)]

Slashdot: Last year's news for nerds, stuff that mattered

What!?

[jav1231 (539129)]

Wait! Someone got WiFi to work in Linux!?
Okay, easy...just saying this is one area that's always been behind in Linux.

Re:Oh, madwifi. Surprise! Closed source still suck

[by Anonymous Coward]

The bug was in the open source portion of the driver, the closed-source HAL merely locks the range of radio frequencies and transmit powers allowed.

Fixed!

[tjwhaynes (114792)]

My concern is that you are right - "so have most people that actually pay attention to security posts." The strong benefit of Linux vis-a-vis MSFT (and its not price) is that as an open system you have an nearly unlimited pool of the best computer code writing minds constantly updating and improving upon one another's kernel code around the world.But, if when errors are uncovered and corrections made, patches are only known to that pool of people then mass users will be exposed to significant security risk. The average Joe running Linux will suffer and that hurts the entire community in both reputation and user adoption rates.

You are overlooking the way that most Joe Linux users get their updates - automatically. When security flaws are found and patches are delivered, you can guarantee that the people who package that software at Redhat, Ubuntu, Debian and other major distributions are aware of the update. Those security patches will be tested and rolled out into the main update repositories, probably within 24 hours to all the mirrors worldwide. The automatic update daemon on Joe User's modern Linux distro will be downloading the update within the next 24 hours or sooner. From security patch being announced to patched home computer in 48 hours in the worst-case scenario.

One of the nicest things about the distro's automatic updates is that this applies to ALL packages in the distro. I don't need to worry about Apache needing it's own updater. So no - the average Joe running Linux does not suffer - he gets informed about the update or even has it applied without manual intervention depending on the settings. Joe benefits and so does the community who recognise that fixing security flaws promptly is key.

Cheers,
Toby Haynes

Re:Fixed! -not!

[quixote9 (999874)]

Um, "Joe Linux" here, chiming in. I run Fedora, which was pre-installed on oddball hardware. If Fedora has automatic updates like Ubuntu, and if they just work, I sure as hell haven't heard about them. The Fedora repository is about 10% of the way to useful. 15%, when I'm feeling charitable. I'm on Core 3 because I haven't found a distro that can deal with my system, and, since I'm a biology geek not a computer geek, I have no idea what to do or the time to spend finding out.

It gets worse. I don't even know if I'm running a madwifi driver or not. I looked at the running processes, but there's nothing obvious there. I don't know if madwifi is called something else in the process list. I do know I have a Atheros chip.

The point I'm trying to make is more than just displaying ignorance. The point is that it may be hard for those of you who are close to the subject to realize just how opaque it is to those of us who aren't. If you're in the know, share their knowledge. It's kind of frustrating, from my perspective, to hear, "It's all automatic, and if it's not, you're just too hopeless to deal with."

(All that said, you're quite right that when updates are applied automatically and effectively, both the clueless and the clued benefit. That's why I'm getting my next system with Ubuntu on it!)

Re:Fixed! -not!

[LibertarianWackJob (881478)]

Hi "Joe"
You won't be getting any updates for FC3 since the Fedora Project has dropped support for that. If you like the Fedora distribution you can go with FC6 or wait for May 24 when FC7 is due to be released. Otherwise, Ubuntu is a fine distribution.

Try this:

su -

crontab -e

# cron for root
# update system at 4AM daily
0 4 * * * /usr/bin/yum update

madwifi links.

[Erris (531066)]

The madwifi howto is here [madwifi.org]. It seems that you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module. My simple Etch system does not have this or wlanconfig tools by default, though those tools look very nice and I'm sure this little problem will be fixed quickly.

I have to agree with you about the uselessness of the PC World article. Besides not having any useful information, it's filled with FUD about free software wifi and confused "popularity argument" babble. In short it's more of a, "everyone else has these problems too, so Windoze away," pacifier than it is a news article.

Re:In other news..

[TheRealMindChild (743925)]

they all contains buffer overflows

Actually, this kind of crap goes away when you stop using NULL terminated strings and put in size checks.

• Start using a BSTR or std::string or christ, even CString.
• If you're going to use a char * as a string, stop using strcpy/strcat/sprintf/strfindthelawngnome and start using strncpy/strncat/snprintf/strfoundthelawngnome
• If you have to pass a char * as a parameter of some function, also add a parameter that indicates the size of the memory (EX: 'bool IsStringSexy(char *mystring, ULONG mystringlen)')
• Don't rely that a setting read from some arbitrary place (registry, file) is undeniably correct to laying out structures of memory [LOOKING AT YOU IE AND FIREFOX AND WORD AND EVERY OTHER APP THAT CRASHED DUE TO A MALFORMED DOCUMENT]