Vulnerability Note VU#209376

Broadcom wireless driver fails to properly process 802.11 probe response frames

Original Release date: 14 Nov 2006 | Last revised: 17 Jan 2007

Overview

A buffer overflow vulnerability exists in the Broadcom BCMWL5.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition.

Description

The BCMWL5.SYS driver is a wireless (802.11) device driver produced by Broadcom. See the systems affected section of this document for a list of vendors that ship this driver. In addition to laptop and desktop systems, this driver may also be used in access points, media centers, and other network appliances.

A buffer overflow vulnerability exists in the BCMWL5.SYS driver. An attacker may be able to trigger the overflow by sending a malformed SSID probe response frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted, using wireless encryption (WEP/WPA) does not mitigate this vulnerability.

Note that Linux or Unix systems that use NDISWrapper or similar technologies to load the BCMWL5.SYS driver may also be vulnerable.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code, or cause a denial-of-service condition on a vulnerable system.

Solution

Upgrade
Some manufacturers and OEMs have released an upgraded driver to address this issue. See the Systems Affected section of this document for more information.


Disable wireless adapters

Disabling wireless adapters may reduce the chances of this vulnerability being exploited.

Use wired networking methods until updates can be applied

Using wired networks, such as Ethernet adapters or other extended LAN technologies, until vulnerable wireless drivers can be updated will prevent this vulnerability from being exploited.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BroadcomAffected-17 Jan 2007
Dell Computer Corporation, Inc.Affected12 Nov 200617 Nov 2006
Linksys (A division of Cisco Systems)Affected12 Nov 200614 Nov 2006
Cisco Systems, Inc.Not Affected12 Nov 200615 Nov 2006
3com, Inc.Unknown13 Nov 200613 Nov 2006
Apple Computer, Inc.Unknown12 Nov 200612 Nov 2006
D-Link Systems, Inc.Unknown13 Nov 200613 Nov 2006
eMachines, Inc.Unknown20 Nov 200620 Nov 2006
Hewlett-Packard CompanyUnknown12 Nov 200612 Nov 2006
IBM CorporationUnknown13 Nov 200613 Nov 2006
Sony CorporationUnknown13 Nov 200613 Nov 2006
ToshibaUnknown12 Nov 200612 Nov 2006
ZyXELUnknown13 Nov 200613 Nov 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue was publicly reported by Johnny Cache on The Month of Kernel Bugs Website.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: Unknown
  • Date Public: 11 Nov 2006
  • Date First Published: 14 Nov 2006
  • Date Last Updated: 17 Jan 2007
  • Severity Metric: 1.63
  • Document Revision: 46

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.