Create WPA2 adhoc is Open, not encrypted

Bug #905748 reported by Philipp Gassmann
292
This bug affects 7 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Incomplete
Medium
Unassigned
network-manager (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre
network-manager-applet (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre

Bug Description

When I create a new network with networkmanager, select wpa2 personal and enter a password, the network that gets created is actually Open. In the connection information on Ubuntu, the network ist shown as WPA2 secured, but I can connect with other devices without entering any key. The network is discovered on windows and on Android (CM7) as OPEN!

Using ubuntu 11.10, network-manager 0.9.1.90-0ubuntu5.1

I couldn't find any reference to this behaviour on the net or in the bug tracker.
bug 322902 seems similar

Note: With standard Android, it's not possible to connect to an adhoc wifi. With cyanogenmod or other mods it's possible.

Revision history for this message
Philipp Gassmann (phiphi.g) wrote :
visibility: private → public
Revision history for this message
Philipp Gassmann (phiphi.g) wrote :
description: updated
Revision history for this message
Philipp Gassmann (phiphi.g) wrote :

Can anyone reproduce this bad behaviour?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've confirmed this in oneiric (0.9.1.90-0ubuntu6) and precise (0.9.1.90-0ubuntu7).

I glanced at the network-manager-applet code and believe that wpa-none should be supported for ad-hoc networks. I don't see any obvious fixes in the upstream git repo, nor any related upstream bugs. However, I did find this interesting comment in the bug tracker: https://bugzilla.gnome.org/show_bug.cgi?id=654772#c1

Changed in network-manager (Ubuntu):
status: New → Confirmed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Indeed, it's borked. This should be set to High considering it's a security vulnerability; perhaps I'd just go ahead and grey out WPA from the list if that makes a bit more sense and avoids getting people to think their ad-hoc is secure when it's not.

Changed in network-manager (Ubuntu):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Yes, please do. Either we fix it to properly set up WPA, or we remove WPA from the list, but having it display WPA and actually set up unencrypted is evil.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This isn't quite done yet because making IBSS/RSN (adhoc with wpa2) the default instead of WPA with TKIP (as wpa-none) turns out to be a little more difficult to implement and test than initially expected. So; I'm still working on this.

Changed in network-manager (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Even IBSS/RSN seems to either appear as not secured, or fails to be connected to with a quick test using my android phone; we'll explicitly disable WPA when creating ad-hoc networks instead.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This issue is reproducible even without NM, using wpasupplicant directly to create a adhoc network, and is definitely true on iwlwifi and rt2800pci; so it deserves to be looked at at the kernel level.

FWIW, I though I had seen it work properly on ath9k, I'll test again tomorrow to be certain.

In any case, I'm strongly considering blocking the creation of WPA/WPA2 personal networks in NM as a stop-gap measure to avoid people creating insecure ad-hoc networks until that's really fixed in the drivers.

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 905748

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Philipp Gassmann (phiphi.g) wrote :

@mathieu-tl can you rely on your quick test connecting with android? Android doesn't support Adhoc per default. With the App Wifi-Analyzer you can see some details.

When I create an AdHoc and select WPA, it's now recognised as WPA. WPA2 would be better, I guess. But before it was open.

Why is it so difficult? It did work in earlier releases (ubuntu 11.04 or before, not shure)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I can reproduce this using a laptop with iwl4965, and a Nexus One.

In Wifi-Analyzer, it is displaying as being "WPA" with a lock icon, but when I go into the wireless settings, it says "Open". I can definitely connect without a password, and can access the Internet through the adhoc network.

I agree that we should disable WPA adhoc networks in network-manager until this is resolved in all kernel drivers.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I installed Ubuntu 11.04 on the same laptop. Creating an adhoc shared network shows "Open" in Wifi-Analyzer, and "Open" in the wireless settings. (Although trying to connect fails to get an IP address).

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Philipp; yes, we can rely on that test because Android does support ad-hoc for WPA. WPA2 is another story ;)

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

We've been able to reproduce it on multiple drivers: iwlwifi, rt2800pci, ath9k and iwl4965. I think we can safely say it's reproducible on most drivers, and thus probably something that needs to be fixed in kernel code outside of drivers' code.

Philipp; you may still want to run 'apport-collect 905748' to add extra information to the bug report which will make things easier to debug; as was suggested by Brad.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Joseph, please define what additional information is needed. As per above, in Brad's automated comment:

"If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.". I think we've satisfied this with comment #15.... Setting back to Confirmed.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : apport information

AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
ApportVersion: 1.94.1-0ubuntu2
Architecture: amd64
ArecordDevices:
 **** List of CAPTURE Hardware Devices ****
 card 0: PCH [HDA Intel PCH], device 0: CONEXANT Analog [CONEXANT Analog]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: mtrudel 2885 F.... pulseaudio
Card0.Amixer.info:
 Card hw:0 'PCH'/'HDA Intel PCH at 0xf7f00000 irq 51'
   Mixer name : 'Intel CougarPoint HDMI'
   Components : 'HDA:14f1506e,10280510,00100002 HDA:80862805,80860101,00100000'
   Controls : 14
   Simple ctrls : 6
DistroRelease: Ubuntu 12.04
HibernationDevice: RESUME=UUID=2d9327f8-63ea-4503-a4e5-390ae72852bd
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha amd64 (20120209.2)
MachineType: Dell Inc. Vostro V131
Package: network-manager
ProcEnviron:
 LANGUAGE=fr_CA:fr
 TERM=xterm
 PATH=(custom, user)
 LANG=fr_CA.UTF-8
 SHELL=/bin/zsh
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.2.0-18-generic root=/dev/mapper/hostname-root ro quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 3.2.0-18.29-generic 3.2.9
RelatedPackageVersions:
 linux-restricted-modules-3.2.0-18-generic N/A
 linux-backports-modules-3.2.0-18-generic N/A
 linux-firmware 1.71
StagingDrivers: mei
Tags: precise staging
Uname: Linux 3.2.0-18-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sbuild sudo
dmi.bios.date: 10/24/2011
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A03
dmi.board.name: 0C06WP
dmi.board.vendor: Dell Inc.
dmi.board.version: A03
dmi.chassis.type: 8
dmi.chassis.vendor: Dell Inc.
dmi.chassis.version: Not Specified
dmi.modalias: dmi:bvnDellInc.:bvrA03:bd10/24/2011:svnDellInc.:pnVostroV131:pvrNotSpecified:rvnDellInc.:rn0C06WP:rvrA03:cvnDellInc.:ct8:cvrNotSpecified:
dmi.product.name: Vostro V131
dmi.product.version: Not Specified
dmi.sys.vendor: Dell Inc.

tags: added: apport-collected precise staging
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : AcpiTables.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : AlsaDevices.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : AplayDevices.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : BootDmesg.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : CRDA.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : Card0.Amixer.values.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : Card0.Codecs.codec.0.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : Card0.Codecs.codec.3.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : CurrentDmesg.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : IwConfig.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : Lspci.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : Lsusb.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : PciMultimedia.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : ProcInterrupts.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : ProcModules.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : PulseList.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : RfKill.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : UdevDb.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : UdevLog.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote : WifiSyslog.txt

apport information

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Running wpasupplicant on the command line with debugging logs enabled shows that it does think it's enabling WPA, even if that doesn't seem to get done at the kernel level.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

The above was tested with the simplest form for enabling IBSS/WPA, inspired from the default wpa_supplicant.conf shipped configuration, from the upstream tarballs:

mtrudel@gaea ~/Documents % cat wpa-adhoc.conf
ap_scan=2
network={
        ssid="test adhoc"
        mode=1
        frequency=2412
        proto=WPA
        key_mgmt=WPA-NONE
 pairwise=NONE
 group=TKIP
        psk="passphrase"
}

Attached is a sceenshot of what it looks like on my Android device.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

And the same on a different system, with ath9k (with the "host" using iwlwifi):

BSS 4e:75:8f:95:91:12 (on wlan0)
 TSF: 191896339578 usec (2d, 05:18:16)
 freq: 2412
 beacon interval: 100
 capability: IBSS Privacy (0x0012)
 signal: -55.00 dBm
 last seen: 288 ms ago
 SSID: adhoc
 Supported rates: 1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0
 DS Parameter set: channel 1
 ERP: <no flags>
 Extended supported rates: 6.0 9.0 12.0 48.0
 WPA: * Version: 1
   * Group cipher: TKIP
   * Pairwise ciphers: Use group cipher suite
   * Authentication suites: 00-50-f2:0
   * Capabilities: 16-PTKSA-RC (0x000c)

However, NM happily connects to the network without the host blocking the connection; with an invalid passphrase. (I used "12345678" entered on the "client"). See attached.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Using static IP addresses to configure both, they are mutually reachable which proves they are associating to the same BSSID.

Revision history for this message
Brad Figg (brad-figg) wrote : Test with newer development kernel (3.2.0-18.29)

Thank you for taking the time to file a bug report on this issue.

However, given the number of bugs that the Kernel Team receives during any development cycle it is impossible for us to review them all. Therefore, we occasionally resort to using automated bots to request further testing. This is such a request.

We have noted that there is a newer version of the development kernel than the one you last tested when this issue was found. Please test again with the newer kernel and indicate in the bug if this issue still exists or not.

You can update to the latest development kernel by simply running the following commands in a terminal window:

    sudo apt-get update
    sudo apt-get upgrade

If the bug still exists, change the bug status from Incomplete to Confirmed. If the bug no longer exists, change the bug status from Incomplete to Fix Released.

If you want this bot to quit automatically requesting kernel tests, add a tag named: bot-stop-nagging.

 Thank you for your help, we really do appreciate it.

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
tags: added: kernel-request-3.2.0-18.29
tags: added: bot-stop-nagging
Revision history for this message
Philipp Gassmann (phiphi.g) wrote :

@mathieu-tl Stock Android does not support ad hoc wlan. See here http://code.google.com/p/android/issues/detail?id=82 (Second most stars of all issues there)

There are some custom roms like Cyanogenmod7 that support ad-hoc. And there are ways to replace wpa_supplicant manually with a version that supports ad hoc.

I will try to test it with an ISO of earlier release of ubuntu and save some information.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

As a note to myself or developers who might be working on the issue:

nl80211: Join IBSS request sent successfully
wpa_driver_nl80211_set_key: ifindex=3 alg=2 addr=0x495e2c key_idx=0 set_tx=1 seq_len=6 key_len=32
nl80211: set_key failed; err=-67 Link has been severed)
Cancelling authentication timeout
State: ASSOCIATING -> COMPLETED

I don't know if it's relevant to the security being broken, but just in case it's worth re-testing with wext, and seeing if it reacts the same way.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

wext fails in a similar way:

wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
netlink: Operstate: linkmode=-1, operstate=5
wpa_driver_wext_associate
wpa_driver_wext_set_drop_unencrypted
ioctl[SIOCSIWGENIE]: Operation not supported
wpa_driver_wext_set_psk
Association request to the driver failed
wpa_driver_wext_set_key: alg=2 key_idx=0 set_tx=1 seq_len=6 key_len=32
Cancelling authentication timeout
State: ASSOCIATING -> COMPLETED

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Philipp Gassmann (phiphi.g) wrote :

I checked the behaviour of previous releases with LiveCDs.
On 11.04 creating a WPA WLAN leads to an open network.
On 10.10 I saw a WEP secured net (in Wifi Analyzer, Android) but the connection information in Ubuntu said WPA.

I think it's the behaviour or Ubuntu 10.10 which led me to think it worked in a previous release, because I was asked for a password, but I wasn't aware, that it wasn't WPA but WEP. I'm sorry for the confusion.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Adding the nm-applet task because we'll be adding code in both NM and nm-applet to workaround this.

FWIW; it's indeed been broken for a while: http://thread.gmane.org/gmane.linux.kernel.wireless.general/87543/focus=87554

Changed in network-manager-applet (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.9 KiB)

This bug was fixed in the package network-manager - 0.9.4.0-0ubuntu1

---------------
network-manager (0.9.4.0-0ubuntu1) precise; urgency=low

  * New upstream release 0.9.4.0: (LP: #960494)
    - settings: quiet warning when checking for AdHoc WPA connections
    - core: suppress useless log message when route already exists (LP: #958519)
    - TODO: remove bridging/bonding and InfiniBand
    - core: do a better job of applying bond configuration
    - libnm-util: improve NMSettingBond:verify()
    - libnm-util: fix an NMSettingBond bug
    - core: fix NMDeviceBond:dispose() to chain up
    - wifi: work around more wl.o stupidity
    - ip6: fix setting default route with libnl3 (bgo #668286)
    - firewall: set interface zone before IP configuration (rh #805405)
    - libnm-glib: ensure bindings-created objects work as expected (rh #802536)
    - mobile: ensure IPv4 timeout fails activation
    - utils: override VPN plugin's never-default when ignoring auto routes
    - wifi: make sure we're connected to netlink before using it
    - libnm-glib: add 'registered' property for NMSecretAgent
    - keyfile: fix testcases after InfiniBand transport-mode default change
    - wifi: disable Ad-Hoc WPA connections (LP: #905748)
    - infiniband: fix missing sentinel
    - Add a workaround for a problem creating InfiniBand connections
    - core: treat missing IPv6 setting as AUTO
    - libnm-glib: add errors to nm_device_connection_compatible() and device
      classes
    - vpn: add a new field so VPN plugins can specify multiple domains
    - dnsmasq: allow proxying dnssec data (upstreamed Ubuntu patch)
    - gsm: pass the PPP auth preferences for STATIC and DHCP device use
    - core: allow IPv4 to fail by default
  * debian/control: add Pre-Depends as required for maintscript.
  * debian/control: bump debhelper Build-Depends to (>= 8.1.0~).
  * debian/control: bump Standards-Version to 3.9.3.
  * debian/copyright: update copyright and migrate to format 1.0; thanks to
    Michael Biebl for the work. (LP: #907294)
  * debian/patches/nm-change-dnsmasq-parameters.diff: refreshed.
  * debian/patches/dnsmasq-dnssec-passthrough.patch: dropped, applied upstream.
  * debian/patches/nl3-default-ip6-route.patch: dropped, applied upstream.
  * debian/libnm-glib4.symbols: add new symbols:
    + nm_device_connection_compatible@Base
    + nm_device_*_error_get_type@Base
    + nm_device_*_error_quark@Base
    + nm_secret_agent_get_registered@Base
  * debian/network-manager.postrm: cleanup timestamps and seen-bssids files on
    purge.
  * debian/network-manager.{pre,post}inst: clean up and remove old migration
    steps; we can reimplement just the ones we need in maintscript.
  * debian/network-manager.maintscript:
    - fix the migration of /etc/dbus-1/system.d/NetworkManager.conf to its new
      name /etc/dbus-1/system.d/org.freedesktop.NetworkManager.conf, so we do
      not have leftover files after upgrade.
    - reimplement the rename of nm-system-settings.conf to NetworkManager.conf
      in this format (Debian has already done so).
  * debian/patches/git_doc_fixups_54618a7.patch: fix building documentation to
    make sure the documentation pages aren'...

Read more...

Changed in network-manager (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Forgot to add the same bug tag to close the bug with the network-manager-applet, but it now also contains code to fix adhoc WPA. We can close this as Fix Released.

Changed in network-manager-applet (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Serhiy (xintx-ua) wrote :

Joseph, why have you changed the status to Incomplete? Should we report another bug about the kernel or what additional info do we need? Are there any upstream kernel bug about this?

Revision history for this message
Marius B. Kotsbak (mariusko) wrote :

Seems like this currently is being worked on by the Fedora developers:

http://fedoraproject.org/wiki/Features/RealHotspot

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
penalvch (penalvch) wrote :

Philipp Gassmann, this bug was reported a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue? If so, could you please test for this with the latest development release of Ubuntu? ISO images are available from http://cdimage.ubuntu.com/daily-live/current/ .

If it remains an issue, could you please run the following command in the development release from a Terminal (Applications->Accessories->Terminal), as it will automatically gather and attach updated debug information to this report:

apport-collect -p linux <replace-with-bug-number>

Also, could you please test the latest upstream kernel available (not the daily folder) following https://wiki.ubuntu.com/KernelMainlineBuilds ? It will allow additional upstream developers to examine the issue. Once you've tested the upstream kernel, please comment on which kernel version specifically you tested. If this bug is fixed in the mainline kernel, please add the following tags:
kernel-fixed-upstream
kernel-fixed-upstream-VERSION-NUMBER

where VERSION-NUMBER is the version number of the kernel you tested. For example:
kernel-fixed-upstream-v3.13-rc3

This can be done by clicking on the yellow circle with a black pencil icon next to the word Tags located at the bottom of the bug description. As well, please remove the tag:
needs-upstream-testing

If the mainline kernel does not fix this bug, please add the following tags:
kernel-bug-exists-upstream
kernel-bug-exists-upstream-VERSION-NUMBER

As well, please remove the tag:
needs-upstream-testing

Once testing of the upstream kernel is complete, please mark this bug's Status as Confirmed. Please let us know your results. Thank you for your understanding.

Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
tags: added: needs-bisect needs-upstream-testing regression-release
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.