Bug 1222337

Hello

I came over a strange phenomenon while running iwlmvm card on my laptop. 

Network setup:

host1, host2, host3  <---> ASUS WIFI AP <----> external router (WAN)

host1 suddenly cannot connect to host2 on port 22, but host3 can.

Symptoms:

ssh user@host2 results in a timeout.

tcpdump on host1 for wifi iface: shows SYN outgoing to port 22 to host2, no SYN,ACK received. SYN repeats many times then times out

tcpdump on host2 for wifi iface (logged in from host3!): shows SYN incoming from host1, then host2 sends SYN,ACK (with payload containing SSH banner), this packet somehow vanishes before/while reaching host1.

Reboot of both hosts 1,2: no improvement. Still no connection.

Test2: change port of sshd (dropbear, debian) on host2 from 22 to 222. Result: port 22 starts to work again (e.g. netcat -l 22 on host2 then telnet to port 22 from host1, connects and dumps data), but port 222 doesn't work. Can't connect to sshd on port 222. Another try: port 555, ports 22,222 work again, but 555 doesn't. (LOL are u kidding me).

Test3: remove modules for iwlmvm, then use a USB wifi card (trendnet ac600). Result: ssh/telnet works to any port from host1 to host2.

Test4: load again the iwlmvm, remove usb wifi: problem is back, same as above. Change IP of both host1 and host2: no impact, problem persists.

Finally: update ALL packages referenced by /lib/firmware, reboot host1. Result: problem vanished on host1. iwlmvm works as expected.

Affected firmware:

so-a0-gf-a0-71.ucode

apparently reading the logs, refreshing of intel firmware pulled also:

firmware version 72.a764baac.0 so-a0-gf-a0-72.ucode op_mode iwlmvm

which the driver now loads.

Bug or trojaned ucode trying to implement a SSH MITM?