DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,159
Default Tech industry quietly patches FragAttacks Wi-Fi flaws that leak data, weaken security

From https://www.theregister.com/2021/05/12/krack_hack_wifi/

Quote:
A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef.

On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF].

Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws.

[snip]
In total, 75 devices – network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) – were tested and all were affected by one or more of the attacks.

NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units).
See https://github.com/vanhoefm/fragattacks#readme for some Linux tools to check for these flaws.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 13th May 2021
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,020
Default

There was a great deal of online discussion about the 9-month-long embargo on these flaws. From what I gather, only the largest IT firms were able to obtain information during this period; all others were excluded from the opportunity.
Reply With Quote
  #3   (View Single Post)  
Old 23rd May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,159
Default

Quote:
Originally Posted by J65nko View Post
NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units).
.

Arstechnica.com's article when discussing one of the many security flaws states:

Quote:
Vanhoef said that it’s possible to perform the attack without user interaction when the target’s access point is vulnerable to CVE-2021-26139, one of the 12 vulnerabilities that make up the FragAttacks package. The security flaw stems from a kernel flaw in NetBSD 7.1 that causes Wi-Fi access points to forward Extensible Authentication Protocol (AP) over LAN frames to other devices even when the sender has not yet authenticated to the AP.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 23rd May 2021
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 632
Default

OpenBSD was vulnerable to at least one of vulnerabilities, see:
FragAttacks: Presentation at USENIX Security '21. Time 10:03
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How security flaws work: the buffer overflow J65nko News 0 26th August 2015 06:09 AM
X.Org Security Flaws Affect Code Dating Back To 1987 J65nko News 2 10th December 2014 09:47 PM
Security PostgreSQL patches XML flaws J65nko News 0 17th August 2012 09:56 PM
Security Six security flaws fixed in OpenSSL J65nko News 0 6th January 2012 06:17 PM
Torvalds attacks IT industry 'security circus' roddierod Off-Topic 17 6th September 2008 02:03 PM


All times are GMT. The time now is 05:35 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick