Slashdot Log In
Critical Security Hole in Linux Wi-Fi
Posted by
CmdrTaco
on Sun Apr 15, 2007 10:34 AM
from the nobody's-perfect dept.
from the nobody's-perfect dept.
thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."
This discussion has been archived.
No new comments can be posted.
Critical Security Hole in Linux Wi-Fi
|
Log In/Create an Account
| Top
| 262 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
patched already (Score:4, Insightful)
(Last Journal: Wednesday August 15, @03:36PM)
So here is a Linux driver problem, a patch is available, though not widely dispersed. The news here is that even in a largely neglected (though it shouldn't be) slice of the Open Source technology, specifically the deadly difficult wi-fi landscape, bugs are found and fixed right away (at least that's the gist of part of the article).
I'm more afraid of the neglected patches MSFT deems behind closed doors as not important enough to reveal to the public. How many zero-day exploits is MSFT discussing behind those closed doors right now, and what are they deciding about the fate of security to my machines?
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
(It doesn't seem to fix the other problem... I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore... If I want wireless linux on a laptop, I'm doing via Vmware's bridge. It shouldn't be like this.)
Re:patched already (Score:5, Insightful)
(http://translate.goo...%7Ces&u=slashdot.org)
Re:patched already (Score:4, Informative)
The module in question is found here [madwifi.org]. (slow to load)
Re:patched already (Score:5, Informative)
Or rather, a small open-source Linux compatibility shim around the actual, binary only driver.
Look further into that link you pasted:
http://madwifi.org/browser/trunk/hal/public [madwifi.org]
Those
> The module in question is found here. (slow to load)
Ah, so the flaw is in the open source shim part. Fooey. =/
As an aside, and as I suspect you might already know, there is an effort to replace the binary-only part of that driver with Free software, and the Madwifi people have cooperated as much as they're able. They even host the development in their own repository:
http://madwifi.org/browser/branches/madwifi-old-o
Cheers!
Re:Freedom matters. (Score:4, Funny)
(http://members.cox.net/bungi/)
What part of "the flaw was in the open portion of the driver" did you manage to miss?
Re:Mod parent down (Score:4, Insightful)
In this case, the vulnerability is in a 3rd party driver and not in the kernel itself. Nevertheless the not-so-techie reader just reads "Linux vulnerability".
Btw. Dont forget that the public is used to hear about Windows vulnerabilities, they dont notice them anymore.
There's more to the world than Microsoft. (Score:5, Insightful)
What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with. The larger picture here is that computer security kinda sucks, not that Microsoft is better/worse at it than Linux is.
I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore
Huh. I've had very good luck recently with Ubuntu. The built in wifi in my laptop worked out of the box with Ubuntu, and two other cards I own worked as well.
It hasn't always been like this of course. A couple years ago WiFi support was extremely lacking.
Re:There's more to the world than Microsoft. (Score:5, Insightful)
1. It just isn't possible to make software ultra-secure and free of vulnerabilities. I.e. you cannot expect *any* piece to be 100% secure, ever.
2. It is possible, but the costs of making software ultra-secure is so high that it's not worth it. Customers would rather pay a lower price for a slightly less secure system than a much larger price for a 100% secure system.
Re:There's more to the world than Microsoft. (Score:5, Insightful)
(http://plan99.net/~mike/)
3. C/C++ make it really easy to screw up.
Re:There's more to the world than Microsoft. (Score:5, Interesting)
(http://theravensnest.org/ | Last Journal: Sunday October 07, @07:05AM)
The good news is that the rise of virtualisation means that IOMMUs are going to become a lot more common in the next few years.
Re:There's more to the world than Microsoft. (Score:4, Informative)
(http://www.annexia.org/)
What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.
You're right. Unfortunately with the current design of PC hardware it's difficult to provide protection from poorly written drivers. For example, it's very common for drivers to be able to (a) initiate DMA transfers to/from any part of physical memory, and (b) lock the PCI bus by messing with the bus arbitration. You can do things like having an exokernel [wikipedia.org] -- small trusted multiplexers go in the kernel and the larger parts of your drivers sit (untrusted) in userspace, but performance generally sucks. Some hardware (eg. graphics cards) makes it hard even to do this.
Luckily virtualisation is driving better solutions, and they're coming to a PC near you soon (in fact, they've already come to the PCs I'm using daily, but those are test articles). Primarily with virtualisation we want to be able to hand off devices to untrusted guest operating systems. For example give each guest its own physical network card. That won't work too well if guests can stomp on each others memory using DMA transfers. The new hardware actually has hardware support to stop the guests doing bad things.
Look at Intel's VT-d [intel.com] for example.
Rich.
Re:patched already (Score:4, Insightful)
Wireless works out-of-the-box (or soon after) - with a recent distribution of Linux - on most laptops these days.
Patched! (Score:2)
Fixed! (Score:5, Insightful)
You are overlooking the way that most Joe Linux users get their updates - automatically. When security flaws are found and patches are delivered, you can guarantee that the people who package that software at Redhat, Ubuntu, Debian and other major distributions are aware of the update. Those security patches will be tested and rolled out into the main update repositories, probably within 24 hours to all the mirrors worldwide. The automatic update daemon on Joe User's modern Linux distro will be downloading the update within the next 24 hours or sooner. From security patch being announced to patched home computer in 48 hours in the worst-case scenario.
One of the nicest things about the distro's automatic updates is that this applies to ALL packages in the distro. I don't need to worry about Apache needing it's own updater. So no - the average Joe running Linux does not suffer - he gets informed about the update or even has it applied without manual intervention depending on the settings. Joe benefits and so does the community who recognise that fixing security flaws promptly is key.
Cheers,
Toby Haynes
Re:Fixed! -not! (Score:5, Interesting)
(http://molvray.com/acid-test/)
It gets worse. I don't even know if I'm running a madwifi driver or not. I looked at the running processes, but there's nothing obvious there. I don't know if madwifi is called something else in the process list. I do know I have a Atheros chip.
The point I'm trying to make is more than just displaying ignorance. The point is that it may be hard for those of you who are close to the subject to realize just how opaque it is to those of us who aren't. If you're in the know, share their knowledge. It's kind of frustrating, from my perspective, to hear, "It's all automatic, and if it's not, you're just too hopeless to deal with."
(All that said, you're quite right that when updates are applied automatically and effectively, both the clueless and the clued benefit. That's why I'm getting my next system with Ubuntu on it!)
Re:Fixed! -not! (Score:5, Informative)
(http://www.kaptain.us/)
You won't be getting any updates for FC3 since the Fedora Project has dropped support for that. If you like the Fedora distribution you can go with FC6 or wait for May 24 when FC7 is due to be released. Otherwise, Ubuntu is a fine distribution.
Try this:
Any clue on the extent? (Score:2)
I'm lucky my laptop has a switch on the side, when switched OFF wireless networking seems to be disabled. It seems to be a hardware disconnect for the antenna.
thisispurefud? (Score:1, Redundant)
PC World Article?! (Score:2, Troll)
(http://hackish.org/)
madwifi links. (Score:5, Informative)
(http://yro.slashdot.org/~twitter/journal/177855 | Last Journal: Sunday November 04, @10:56PM)
The madwifi howto is here [madwifi.org]. It seems that you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module. My simple Etch system does not have this or wlanconfig tools by default, though those tools look very nice and I'm sure this little problem will be fixed quickly.
I have to agree with you about the uselessness of the PC World article. Besides not having any useful information, it's filled with FUD about free software wifi and confused "popularity argument" babble. In short it's more of a, "everyone else has these problems too, so Windoze away," pacifier than it is a news article.
Linux Wi-Fi? What Linux Wi-Fi? (Score:1, Funny)
In other news.. (Score:2, Insightful)
(http://www.ckwop.me.uk/)
It doesn't matter which operating system you use - they all contains buffer overflows. In a way, the consumer is to blame for this. BSD has been whiling with little to no market-share despite the fact it's free. Nobody it seems wants software that's secure out of the box and stays secure.
People want features and features are the enemy of security. So the status-quo continues even though we've known how to fix these issues for forty years.
Simon
Re:In other news.. (Score:5, Informative)
(http://www.mindchild.net/ | Last Journal: Tuesday November 29 2005, @10:16AM)
Actually, this kind of crap goes away when you stop using NULL terminated strings and put in size checks.
Re:In other news.. (Score:4, Insightful)
Or perhaps you prefer Java, and think that running your code in a VM is a silver bullet. Think again. If you want that code to actually do anything, you're going to have to give it access to the outside world. Your web app can still let people do things they shouldn't. Security is not just about buffer overflows and SQL injection; it's about anything that could let someone get access they shouldn't have. Which can happen from plain old bad logic.
Admittedly, it is easy to make mistakes with C. But C is pretty much the only thing to write a kernel in. In a device driver, you have to mess around with real memory, and real IO, and that sort of thing. More importantly, C is old enough so that its common security mistakes are already known. You'd have a much harder time with some random language.
Basically, a "secure" language is not one that prevents you from doing things you shouldn't. What you want is a language that makes it easier to write secure code than to write insecure code.
Re:In other news.. (Score:4, Insightful)
It's a much more complex problem than simply using 'safe' functions. People don't always put the correct size into the size field, and there are entire classes of exploits, e.g. format string vulnerabilities [wikipedia.org], that don't use the traditional buffer overflow mechanism at all.
I've heard that the BSD folks have a saying that a bug is just an attack nobody has the intelligence to turn into an exploit yet. I take it you've never written code that crashes?
Complex Hack (Score:5, Funny)
Once again, Linux is safe from such a common attack because only seven people have successfully set up WPA. If this had been a Windows flaw, where every machine natively understands WPA and no work at the command prompt is needed, this would be disastrous.
This shows that Linux has been taking the right stand. By making the machine difficult to get running, it's unlikely that the machine will be able to connect to anything and become infected. Windows made the mistake of making the machine easy to use, allowing for simply network connection and ease of ownership (OWN3D).
Not Overly Complex Hack (Score:4, Interesting)
Tag.. (Score:5, Funny)
Flaw? Patched? Microsoft? Linux? (Score:1)
I find it pretty interesting that security advisories over the last several months have been on primarily non-MS platforms. Mac, Linux, Solaris, etc. have had many more security advisories than MS Windows has had to endure, and Microsoft, while certainly not leading that pack for response time, also isn't dead last. I invite you all to check This site [packetstormsecurity.org] which is April's list of security advisories. I remember seeing a review on security a short time ago dealing with response time from various OS Vendors, and while MS wasn't leading the pack in anything, they weren't dead last in anything either.
I personally think Linux has a lot of potential, and is a pretty decent OS. But it's not ready for primetime just because of the average user. Windows has a tough enough time with security because of the user (let's face it, 90% of problems are the user's fault). Sure, exploits exist, but you have to DO something. Users don't download patches. Users click on anything with an OK box. Same applies here. How many "users" running Linux are even going to know about this vulnerability, let alone patch it. Ok, if they've auto-updates on, perhaps they will fetch it in their next batch? In which case, good, and kudos to the distro for making that part painless for the user.
I've always wondered about Linux's wifi security, but that was primarily because of having to wrap up the driver of most wifi cards. Just seemed to me like a door just begging to be broken down. Apparently I wasn't the only one.
First reported December 2006 (Score:5, Informative)
I am a bit confused... (Score:5, Informative)
(http://www.linicks.net/)
http://madwifi.org/changeset/1842 [madwifi.org]
Fixed Dec 15th on my box (Score:5, Informative)
(http://photo.net/photos/swillden | Last Journal: Wednesday July 19 2006, @01:42PM)
It looks that way to me.
Unless this is a different vulnerability, Debian applied the fix [debian.org] over four months ago, two days after the patch was available, and eight days after the vulnerability was first reported [grok.org.uk]
I saw the article and immediately started aptitude to get the fix, only to discover that I already got it, two weeks before Christmas. Nice.
Re:Fixed Dec 15th on my box (Score:5, Funny)
(http://slashdot.org/)
Madwifi? (Score:2)
Oh, madwifi. Surprise! Closed source still sucks! (Score:1, Insightful)
(http://localhost/)
This bug is in the "madwifi" atheros driver, which is:
- dependent on a closed-source kernel module
- not in the upstream kernel
- not included by default in most distributions (e.g. Fedora/RHEL, SuSE, Debian).
It *is* in Ubuntu, but has been fixed in Edgy [ubuntu.com] since February 1.So here's what the headline should have been:
Closed-Source Drivers Harder To Maintain, Less Secure
Re:Oh, madwifi. Surprise! Closed source still suck (Score:4, Informative)
Article Tagging: "haha"???? (Score:3, Interesting)
Not very helpful FA.... (Score:2, Insightful)
I patch and update regularly, so I just wasted some time double checking on a flaw that had been fixed on my system a long time ago.
Security hole (Score:1)
Here's an idea: (Score:3, Interesting)
Then, you dont need specific 'drivers' for wifi hardware (you just need to support ethernet)
Ridiculous! (Score:1, Redundant)
(http://www.pobox.com/~ylee/)
Apply the same consideration (Score:3, Interesting)
(http://www.superficial.net/)
Vulnerabilities, particularly serious ones, are never good news. At the very least it would cost businesses who have deployed Linux engineer time in fixing (applying patch(es)) the problem, it generates uncertainty in the market - it creates the potential for business managers who just scan the IT news pages to say "didn't Linux have that serious problem not long ago?". This much is true of any OS, particularly one that businesses need to rely on.
I'm a firm believer in open-source, and I use both Windows and Linux in equal measure both at work and at home. I don't however believe fundamentally that the fact Windows and IE are closed-source automatically make them "poorly written". As has already been remarked a lot of this comes down to usage statistics... with a 90%+ market share you can guarantee that every hacker out there is trying to find fault in every single DLL that Windows ships with. As Linux gains more traction in the desktop & server markets as time goes on you can be sure that there will be most vulnerabilities like this being found. Programmers make mistakes, and there is no such thing as bug-free software.
I really wish Slashdot could dispense with the hidden agendas, partisan attitudes and blatent fanboyism and not sweep serious vulnerabilities like this under the carpet as if they aren't a big deal. Dimissing them as trivial is - if anything - more damaging than giving them the proper attention.
What!? (Score:5, Funny)
Okay, easy...just saying this is one area that's always been behind in Linux.
Re:What!? (Score:4, Insightful)
(http://reallydodgy.org/ | Last Journal: Thursday January 05 2006, @03:54AM)
FUD Template (Score:2, Insightful)
I use [linuxdistro] and am a firm believer in open source software, but we just can't pretend that [securityflawfixedmonthsago] isn't a big deal. Your average Joe user isn't able to install a patch and this just proves that Linux is not ready for the desktop.
hahaha (Score:1)
(http://www.ic-solutions.com.au/)
madwifi 0.9.2.1 Remote Kernel Overflow Exploit (Score:1)
(Last Journal: Thursday April 05 2007, @08:55AM)