Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Linux

Linux Preparing To Disable Drivers For Microsoft's RNDIS Protocol (phoronix.com) 51

Phoronix reports: With the next Linux kernel cycle we could see upstream disable their driver support for Microsoft's Remote Network Driver Interface Specification (RNDIS) protocol due to security concerns.

RNDIS is the proprietary protocol used atop USB for virtual Ethernet functionality. The support for RNDIS outside of Microsoft Windows has been mixed. RNDIS isn't widely used today in cross-platform environments and due to security concerns the upstream Linux kernel is looking to move the RNDIS kernel drivers behind the "BROKEN" Kconfig option so they effectively become disabled in future kernel builds.

Ultimately once marked as "BROKEN" for a while, the drivers will likely be eventually removed from the upstream source tree.

Greg Kroah-Hartman wrote in a commit: "The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on any system that uses it with untrusted hosts or devices. Because the protocol is impossible to make secure, just disable all rndis drivers to prevent anyone from using them again."
This discussion has been archived. No new comments can be posted.

Linux Preparing To Disable Drivers For Microsoft's RNDIS Protocol

Comments Filter:
  • Wait a sec (Score:3, Interesting)

    by That Grammar Guy! ( 10283466 ) on Sunday January 15, 2023 @11:40AM (#63210410)
    Is this going to break support for Linux USB gadgets? I have a lot of Pi Zeros that I have set up to use RNDIS so I can just plug in USB, SSH to the local loopback address, and go.
    • Re:Wait a sec (Score:4, Informative)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday January 15, 2023 @11:44AM (#63210430) Homepage Journal

      Switch to CDC-ECM [segger.com].

    • by sjames ( 1099 )

      At least for now, you will be able to build a kernel with support by enabling "broken" drivers.

    • by romiz ( 757548 )

      You can still use the f_ncm gadget. If the OS descriptor is set to WINNCM, Windows 7 and later should automatically install the relevant network driver.

    • by ceoyoyo ( 59147 )

      Ultimately, these things are just a bit of code that packs outgoing IP frames into USB frames and reconstitutes incoming ones. You could use an RNDIS user space driver or kernel module (I think these already exist), or you could switch to using some flavour of CDC.

      Using CDC might require upgrading the OS on the pi, or maybe just loading a kernel module or user space driver.

      • Re:Wait a sec (Score:5, Informative)

        by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Sunday January 15, 2023 @04:36PM (#63211034)

        Ultimately, these things are just a bit of code that packs outgoing IP frames into USB frames and reconstitutes incoming ones. You could use an RNDIS user space driver or kernel module (I think these already exist), or you could switch to using some flavour of CDC.

        Using CDC might require upgrading the OS on the pi, or maybe just loading a kernel module or user space driver.

        RNDIS is close to CDC-Ethernet that for a long time, they were both handled by the same code. However, the two serve different purposes. RNDIS uses USB as a network link - both the USB Host and USB Client form two nodes of the network. You gave each end an IP address and you could communicate as normal.

        CDC-Ethernet was designed as a single endpoint - the USB client was a communications device while the USB host was the endpoint. So the USB host would have an IP address, while the USB client would be say, an Ethernet adapter. This was commonly the protocol used for say, cable modems and such - you plugged your PC into the USB port and it showed up as an Ethernet card.

        So they're similar, but different. RNDIS is for two hosts communicating over USB, while CDC-Ethernet is for a host to interface to a device that can handle Ethernet packets but is technically not an endpoint.

        RNDIS is really an alternative to the other way to do it - which is USB-serial and then you run say, PPP over the link to establish a network connection.

        In summary, RNDIS is host to host network connectivity using USB.
        CDC-Ethernet, a related and similar protocol is a class driver to connect a USB host to an Ethernet-like network.

        • by ceoyoyo ( 59147 )

          Not sure about that. I just plugged a pi into an Ubuntu machine. They can both ping each other's IP addresses, and either side can initiate an ssh session. The Ubuntu machine is using CDC-ECM.

          RNDIS may very well do a bunch of Microsoft things, but CDC-ECM does exactly what the OP wants: creates a virtual ethernet adapter and sends and receives packets through it over the USB connection to a similar driver on the other side.

  • by The_DOD_player ( 640135 ) on Sunday January 15, 2023 @01:36PM (#63210672)
    Gee.. something from Microsoft that is broken by design. Say it ain't so. Who would have thought?
    • by jmccue ( 834797 )

      Yes, and how this was allowed in is beyond me. I looked around and the module seems to be "rndis_host.ko".

      So I went looking, on Slackware 15, rndis is set as a module and it is not loaded on boot. So I will create /etc/modprobe.d/rndis_host to blacklist that module.

  • https://wimsworld.wordpress.co... [wordpress.com] Had me going through several options on my cellular modem. RNDIS was the only one that came up directly via dhcpd for both ipv4 and ipv6.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...