Supernetworks macOS SMB Client Vulnerabilities

What to Know​

Supernetworks identified several vulnerabilities in macOS Sequoia’s SMB client code.
The worst of which can result in remote kernel code execution via an SMB URL delivered through any application that allows clickable URLs (e.g. messaging apps. Browsers, email client). This isn’t necessarily a one click attack, as a user may need to click through some UI elements to trigger the exploit. A privileged network position could also be used to carry out a man-in-the-middle attack against a user that typically uses SMB shares. It goes without saying that this also operates as a local privilege escalation from a non privileged user to kernel code execution.

SPR now supports dedicated Guest WiFi networks! This convenient feature provides internet access to visitors while maintaining separation from your primary network.

uBlock Origin is the best browser-based content blocker available on the web today. And it's user supported, free to use. Sadly today Google just pulled the plug on it by enforcing their new v3 manifest.

Users need to migrate or employ dns based content and ad blocking, which SPR can provide.

Pioneering WiFi Security​

Supernetwork's flagship project, SPR, is a pioneer in WiFi security and we've supported multi-pass WPA3 from the inception of the project in 2022.

To use newer protocols like WiFi 6-e and 7, users can not fall back to WPA2, which is excellent since WPA2 suffers from passive sniffing & password cracking attacks.

WPA3 provides a zero knowledge proof: there's no handshake to sniff and crack -- but the protocol is rigid and makes it hard to support multi-pass. So most products only do it for WPA2 sadly, meaning they can't operate on 6-e or 7. This leaves users making more bad security tradeoffs. SPR works to give people the best security choices by default but the user experience could still vastly improve.

A new project, DecoyAuth, by Mathy Vanhoef, seeks to do that just that and make WPA3 better support multipass.

The project was presented at PAKE25 and the slides are here.

How to Sleep Better When Your Bed is a Backdoor​

The folks at over at Truffle Security performed some excellent research on the Eight Sleep Internet connected bed "Removing Jeff Bezos From My Bed ◆ Truffle Security Co. . It will come as no surprise to anyone who follows IoT security that the bed has some serious security problems, most notably the ability for Eight Sleep's engineering team to be able to ssh in to the bed's on-board computer, via what appears to be a shared support account.

Anvil Secure recently published a post and whitepaper covering conntrack flaws that are common with many linux routers and linux "multihomed" devices. In this post we'll cover SPR, how our process mitigated the highest risk vulnerabilities, how we fixed the rest and other improvements we're making to be resilient against attacks like this in the future.

Overview​

Conntrack is part of Linux Netfilter and is an integral part of a stateful firewall for allowing Network Address Translation on a network. A router uses it to allow clients to establish connections through the uplink interfaces.

Anvil Secure published details on how devices often fail to lock down their firewalls correctly since Conntrack operates at layer 3. External attackers that are one hop away can abuse this to spoof IP addresses and send traffic to internal interfaces on devices and routers for an established connection managed with conntrack. For most of our users, this limits the attack to compromised or hostile ISP providers, which is an uncommon (but not unheard of attack vector). However, since the WiFi Pod can be used as a travel router, it's important to us that they are can withstand being attached to a hostile network.

The riskiest of the attacks happen to not affect SPR.

Here is an overview of how SPR helps defend users against attacks with multicast services. The capabilities let SPR users enjoy the benefits of multicast while also being able to constrain the attack surfaces to trusted devices only.

Overview​

1. Every WiFi device is placed on its own VLAN and has a unique Group Key blocking Direct Station to Station Multicast traffic
2. We employ a configurable multicast proxy to relay whitelisted multicast services. It support mDNS and SSDP by default for ease of use. The multicast proxy and mDNS & SSDP relaying can be completely turned off though.
3. We also support setting a tag for multicast services to limit relaying traffic to only devices with the same tag applied.

Envision a homelab scenario with a feature-rich router that's suitable as a container host with storage and memory. Locking down the router's container network policy is surprisingly difficult to set up and manage.

SPR makes it easy with secure by default network controls. Instead of worrying about IP ranges and interfaces, join the interfaces to the groups of devices they can communicate with and set internet access policy.

Association in the 802.11/ WiFi World comes in the "loose" variety of the term, and why Hostapd disconnect events are confusing...

As a quick recap: when a station connects to an Access Point, it goes through a series of request/reply interactions. Several frames are in play including Probes, Authentication, Association, and finally Data frames with EAPOL. The EAPOL payloads perform all the fun cryptography with the passphrase for WPA2, WPA3, and 802.1X Authentication mechanisms.

Rust is taking off in the Linux Kernel and improved support and features make it possible to develop drivers with Rust.