fish/immortalwrt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
An opensource OpenWrt variant for mainland China users.
9,918 Commits 6 Branches 17 Tags 782 MiB
C 61.6%
Makefile 19.3%
Shell 6.9%
Roff 6.7%
Perl 2.5%
Other 2.8%
44ffec16ef
Go to file
Felix Fietkau 44ffec16ef
mac80211: backport upstream fixes for FragAttacks 
From the patch series description:

Several security issues in the 802.11 implementations were found by
Mathy Vanhoef (New York University Abu Dhabi), who has published all
the details at

	https://papers.mathyvanhoef.com/usenix2021.pdf

Specifically, the following CVEs were assigned:

 * CVE-2020-24586 - Fragmentation cache not cleared on reconnection
 * CVE-2020-24587 - Reassembling fragments encrypted under different
                    keys
 * CVE-2020-24588 - Accepting non-SPP A-MSDU frames, which leads to
                    payload being parsed as an L2 frame under an
                    A-MSDU bit toggling attack
 * CVE-2020-26139 - Forwarding EAPOL from unauthenticated sender
 * CVE-2020-26140 - Accepting plaintext data frames in protected
                    networks
 * CVE-2020-26141 - Not verifying TKIP MIC of fragmented frames
 * CVE-2020-26142 - Processing fragmented frames as full frames
 * CVE-2020-26143 - Accepting fragmented plaintext frames in
                    protected networks
 * CVE-2020-26144 - Always accepting unencrypted A-MSDU frames that
                    start with RFC1042 header with EAPOL ethertype
 * CVE-2020-26145 - Accepting plaintext broadcast fragments as full
                    frames
 * CVE-2020-26146 - Reassembling encrypted fragments with non-consecutive
                    packet numbers
 * CVE-2020-26147 - Reassembling mixed encrypted/plaintext fragments

In general, the scope of these attacks is that they may allow an
attacker to
 * inject L2 frames that they can more or less control (depending on the
   vulnerability and attack method) into an otherwise protected network;
 * exfiltrate (some) network data under certain conditions, this is
   specific to the fragmentation issues.

A subset of these issues is known to apply to the Linux IEEE 802.11
implementation (mac80211). Where it is affected, the attached patches
fix the issues, even if not all of them reference the exact CVE IDs.

In addition, driver and/or firmware updates may be necessary, as well
as potentially more fixes to mac80211, depending on how drivers are
using it.

Specifically, for Intel devices, firmware needs to be updated to the
most recently released versions (which was done without any reference
to the security issues) to address some of the vulnerabilities.

To have a single set of patches, I'm also including patches for the
ath10k and ath11k drivers here.

We currently don't have information about how other drivers are, if
at all, affected.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2021-05-13 22:52:29 +08:00
config treewide: fix spelling 'seperate' -> 'separate' 2021-03-02 22:26:41 +08:00
include kernel: bump 5.10 to 5.10.35 2021-05-12 04:09:19 +08:00
LICENSES LICENSE: sync with upstream 2021-02-16 14:19:09 +08:00
package mac80211: backport upstream fixes for FragAttacks 2021-05-13 22:52:29 +08:00
scripts scripts/download.pl: correct mirrors path for current branch 2021-04-21 14:21:21 +08:00
target generic: platform/mikrotik: release mtd device after use 2021-05-12 23:13:09 +08:00
toolchain Merge Mainline 2021-05-03 17:20:04 +08:00
tools firmware-utils: zytrx: Add util for ZyXEL specific header 2021-05-09 20:53:39 +08:00
.gitattributes fix permisson 2019-08-16 15:09:42 +08:00
.gitignore build: improve ccache support 2021-01-02 12:08:17 +08:00
BSDmakefile build: use SPDX license tags 2021-02-06 12:07:10 +08:00
Config.in build: use SPDX license tags 2021-02-06 12:07:10 +08:00
CONTRIBUTED.md Merge Mainline 2021-04-17 00:17:46 +08:00
COPYING LICENSE: sync with upstream 2021-02-16 14:19:09 +08:00
feeds.conf.default Project ImmortalWrt: update feed urls 2021-02-06 16:53:05 +08:00
Makefile Revert "build: replace which with Bash command built-in" 2021-03-04 12:10:58 +08:00
README.md Merge Mainline 2021-02-16 14:50:17 +08:00
rules.mk build: make sure asm gets built with -DPIC 2021-03-25 23:38:37 +08:00

README.md

PROJECT IMMORTALWRT

The Core Source Code of ImmortalWrt

Welcome to our Telegram Group: @ctcgfw_openwrt_discuss.

How to make it

Minimum requirements

Linux with case sensitive
2G DDR2 RAM
2 CPU Cores (AMD64, 1.4Ghz)
25G disk space left
Has access to both ChinaNet & Internet

Install the necessary packages (for Ubuntu user)

sudo apt-get update -y
sudo apt-get full-upgrade -y
sudo apt-get install -y build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc1 libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib g++-multilib p7zip p7zip-full msmtp libssl-dev texinfo libreadline-dev libglib2.0-dev xmlto qemu-utils upx libelf-dev autoconf automake libtool autopoint ccache curl wget vim nano python python3 python-pip python3-pip python-ply python3-ply haveged lrzsz device-tree-compiler scons antlr3 gperf intltool rsync

For mainland China & Ubuntu(16.04+) user, you may run the following command to setup quickly:

sudo bash -c "bash <(curl -s https://build-scripts.project-openwrt.eu.org/init_build_environment.sh)"

Clone the source

git clone -b openwrt-18.06-k5.4 --single-branch https://github.com/immortalwrt/immortalwrt && cd immortalwrt
./scripts/feeds update -a && ./scripts/feeds install -a

Configure your firmware

make menuconfig

Make it

make -j$(nproc) V=s

Tips

You'd better not use root to make it, or you may be not able to use.
Default login address: 192.168.1.1, username is root and password is password.

Contributed

See CONTRIBUTED.md.

License

GNU General Public License v3.0.