Critical Security Hole in Linux Wi-Fi

thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."

Re:patched already

[LinuxGeek]

Wireless support was one of my main requirements when picking my newest laptop. Good support for Atheros cards and as we know, they get patched quickly when flaws are found.

Re:patched already

[FauxPasIII]

While I echo your congratulations on a good response to this bug, I should point out that the driver in question is MadWifi; it's mostly closed source.

First reported December 2006

[QuietLagoon]

Here [mitre.org] is a reference to a more informative report.

Re:patched already

[QuietLagoon]

MadWiFi source code can be found here [madwifi.org].

The module in question is found here [madwifi.org]. (slow to load)

I am a bit confused...

[Skiron]

... this was fixed 4 months ago?

http://madwifi.org/changeset/1842 [madwifi.org]

Re:patched already

[Anonymous Coward]

"I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them."

Of course. That's what fanboys do!

Dunno?

[Anonymous Coward]

Just modprobe -r ath-pci (or rmmod ath-pci).

Re:Oh, madwifi. Surprise! Closed source still suck

[Anonymous Coward]

The bug was in the open source portion of the driver, the closed-source HAL merely locks the range of radio frequencies and transmit powers allowed.

Re:In other news..

[Glytch]

Perhaps you're thinking of OpenBSD's Theo de Raadt? He's a confirmed git. Smart and dedicated, but definitely lacking interpersonal skills.

madwifi links.

[Erris]

The madwifi howto is here [madwifi.org]. It seems that you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module. My simple Etch system does not have this or wlanconfig tools by default, though those tools look very nice and I'm sure this little problem will be fixed quickly.

I have to agree with you about the uselessness of the PC World article. Besides not having any useful information, it's filled with FUD about free software wifi and confused "popularity argument" babble. In short it's more of a, "everyone else has these problems too, so Windoze away," pacifier than it is a news article.

Fixed Dec 15th on my box

[swillden]

... this was fixed 4 months ago?

It looks that way to me.

Unless this is a different vulnerability, Debian applied the fix [debian.org] over four months ago, two days after the patch was available, and eight days after the vulnerability was first reported [grok.org.uk]

I saw the article and immediately started aptitude to get the fix, only to discover that I already got it, two weeks before Christmas. Nice.

Re:In other news..

[TheRealMindChild]

they all contains buffer overflows

Actually, this kind of crap goes away when you stop using NULL terminated strings and put in size checks.

• Start using a BSTR or std::string or christ, even CString.
• If you're going to use a char * as a string, stop using strcpy/strcat/sprintf/strfindthelawngnome and start using strncpy/strncat/snprintf/strfoundthelawngnome
• If you have to pass a char * as a parameter of some function, also add a parameter that indicates the size of the memory (EX: 'bool IsStringSexy(char *mystring, ULONG mystringlen)')
• Don't rely that a setting read from some arbitrary place (registry, file) is undeniably correct to laying out structures of memory [LOOKING AT YOU IE AND FIREFOX AND WORD AND EVERY OTHER APP THAT CRASHED DUE TO A MALFORMED DOCUMENT]

Re:Linux Wi-Fi? What Linux Wi-Fi?

[xenocide2]

Actually, I had more trouble getting my wireless card to work in Windows XP than Ubuntu 5.10. Turns out not every wireless card supports Windows' wifi config tool, and mine was one of them. For some reason, nobody seems to tell hardware vendors that their Value-add software feels more like value subtract.

Of course, I did have the foresight to ask my friends about what works on Linux, which I'm sure helped tremendously. However the laptop I bought didn't really let me choose a wifi card, and it still works with Ubuntu. Of course, Ubuntu takes a much more friendly stance on closed source drivers than Debian or Fedora, and that also helps a great deal. I'm pretty sure neither of my wifi devices work out of the box with Fedora (one more reason I didnt switch back to Fedora after trying out Ubuntu).

Re:There's more to the world than Microsoft.

[Richard W.M. Jones]

What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.

You're right. Unfortunately with the current design of PC hardware it's difficult to provide protection from poorly written drivers. For example, it's very common for drivers to be able to (a) initiate DMA transfers to/from any part of physical memory, and (b) lock the PCI bus by messing with the bus arbitration. You can do things like having an exokernel [wikipedia.org] -- small trusted multiplexers go in the kernel and the larger parts of your drivers sit (untrusted) in userspace, but performance generally sucks. Some hardware (eg. graphics cards) makes it hard even to do this.

Luckily virtualisation is driving better solutions, and they're coming to a PC near you soon (in fact, they've already come to the PCs I'm using daily, but those are test articles). Primarily with virtualisation we want to be able to hand off devices to untrusted guest operating systems. For example give each guest its own physical network card. That won't work too well if guests can stomp on each others memory using DMA transfers. The new hardware actually has hardware support to stop the guests doing bad things.

Look at Intel's VT-d [intel.com] for example.

Rich.

Re:patched already

[FauxPasIII]

> MadWiFi source code can be found here.

Or rather, a small open-source Linux compatibility shim around the actual, binary only driver.

Look further into that link you pasted:

http://madwifi.org/browser/trunk/hal/public [madwifi.org]

Those .uu files are binary objects stored as text, and they make up the majority of the driver. This same binary driver is also used by some of the BSDs, with a different open-source shim.

> The module in question is found here. (slow to load)

Ah, so the flaw is in the open source shim part. Fooey. =/

As an aside, and as I suspect you might already know, there is an effort to replace the binary-only part of that driver with Free software, and the Madwifi people have cooperated as much as they're able. They even host the development in their own repository:

http://madwifi.org/browser/branches/madwifi-old-op enhal [madwifi.org]

Cheers!

Ummmm, no.

[khasim]

First off, I'm posting this from Ubuntu (Feisty Fawn).

But it's not ready for primetime just because of the average user.

Okay, what is it about the "average user" that makes Linux not ready for prime time?

Windows has a tough enough time with security because of the user (let's face it, 90% of problems are the user's fault).

Okay, now you're talking about Windows. And I'll disagree about 90% of Microsoft's security problems being the fault of the users. The default install of a system should be secure enough WITHOUT requiring the users to know how to secure it.

Sure, exploits exist, but you have to DO something.

And by "something" you mean "plug it into the Internet as it was advertised".

Meanwhile, Ubuntu ships with NO open ports by DEFAULT. So I can plug it straight into the Internet in it's default configuration.

Users don't download patches. Users click on anything with an OK box. Same applies here.

And with Ubuntu's default installation, that is not a problem.

But it is a problem with Windows.

But you say that that means that Linux is not ready for prime time.

Users will always install vulnerable apps. You cannot compare two systems based upon what the admins of those systems can or cannot do with them. Instead, compare the default installations and how their security models are implemented.

Re:Fixed! -not!

[LibertarianWackJob]

Hi "Joe"
You won't be getting any updates for FC3 since the Fedora Project has dropped support for that. If you like the Fedora distribution you can go with FC6 or wait for May 24 when FC7 is due to be released. Otherwise, Ubuntu is a fine distribution.

Try this:

su -

crontab -e

# cron for root
# update system at 4AM daily
0 4 * * * /usr/bin/yum update

Re:patched already

[markov_chain]

The HAL is hardly the majority of the driver. The reasons for having the HAL are mostly regulatory, and they are not going away. We should be grateful that most of the Atheros cards don't have firmware, so the extent of the reverse engineering is the host-based HAL blob instead of some totally proprietary microcontroller architecture and RTOS. The bad news is, miniPCI is dying, and the industry is moving to USB modules, which unfortunately all use firmware-driven microcontrollers. Two examples I know are USB modules from Atheros (MIPS) and Marvell (Arm).

Re:Mod this AC up please, and GP down

[cortana]

Which is not, a part of Linux, nor will it ever be while the driver relies on proprietary firmware.

Re:Flaw? Patched? Microsoft? Linux?

[Bert64]

The number of security advisories has very little bearing on OS's tho...
An issue with madwifi is an issue which can affect linux, but is not a bug in linux per se (since its not in the default kernel).
It may be a bug with a particular distribution of linux, if that distribution were to include these drivers.

Similarly, a bug in firefox or apache could also affect windows users if they chose to install it, but it won't be flagged as a windows bug because it's not present by default. Conversely, it will be flagged by most linux vendors as most linux distributions do include these programs.

When needs to be considered is that:

There are many linux distributions, each of these will release their own advisory listing affected versions of their distro, so you may get 10 advisories for a single issue.
Most linux distributions come with thousands of apps, far more than come with windows or even than microsoft publish as a whole.

Back to drivers, there are many many companies producing drivers for windows, many of which are questionable quality (most windows crashes are often blamed on poor drivers, how many of these crashes could be exploitable bugs?) so there are probably many many security holes to be found. The difference is that people aren't looking for holes in third party windows drivers, they would only affect people with certain types of hardware, and there is plenty of much lower hanging fruit to be found on the average windows system.

Re:I am a bit confused...

[strider44]

Yes that is the case. It wasn't presented publicly before now because the researcher was using "responsible disclosure", trying to make sure as many people are patched before it becomes general knowledge. That's why you only hear about many Microsoft flaws after they've been actually patched.