SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#925529

Madwifi wireless driver buffer overflow vulnerability

Overview

A buffer overflow vulnerability exists in the Madwifi wireless driver. If successfully exploited, an attacker may be able to execute arbitrary code, or cause a denial-of-service condition.

I. Description

The Madwifi driver is a Linux kernel device driver for Atheros-based 802.11 a/b/g compatible wireless LAN adapters. Linux distributions may include the Madwifi driver in their default installation, or as an optional package. Commercial access points and networking equipment may also use the Madwifi driver.

A buffer overflow vulnerability has been discovered in the Madwifi driver. This overflow occurs because the driver does not properly process the information element part of probe response management frames. An attacker within radio range may be able to trigger the overflow by sending a specially-crafted 802.11 management frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted or authenticated, using wireless encryption (WEP/WPA) does not mitigate this vulnerability.

This vulnerability, and the patch, are documented in Madwifi's Changeset 1842:


II. Impact

A remote, unauthenticated attacker within 802.11 radio range may be able to execute arbitrary code with kernel privileges, or cause a denial-of-service condition.

III. Solution

Upgrade

The madwifi team has released an upgrade that addresses this issue. Users who do not compile their kernel from source should see the systems affected portion of this document for information about specific vendors.

Note that third party software repositories may also contain vulnerable versions of the Madwifi driver.

Systems Affected

VendorStatusDate NotifiedDate Updated
Conectiva Inc.Unknown8-Dec-2006
Debian GNU/LinuxNot Vulnerable11-Dec-2006
Engarde Secure LinuxUnknown8-Dec-2006
Fedora ProjectNot Vulnerable11-Dec-2006
Gentoo LinuxVulnerable11-Dec-2006
Hewlett-Packard CompanyUnknown8-Dec-2006
IBM Corporation (zseries)Unknown8-Dec-2006
IBM eServerUnknown8-Dec-2006
Immunix Communications, Inc.Unknown8-Dec-2006
Ingrian Networks, Inc.Unknown8-Dec-2006
MadWifiVulnerable8-Dec-2006
Mandriva, Inc.Unknown8-Dec-2006
MontaVista Software, Inc.Unknown8-Dec-2006
Novell, Inc.Vulnerable16-Dec-2006
Openwall GNU/*/LinuxNot Vulnerable11-Dec-2006
Red Hat, Inc.Not Vulnerable11-Dec-2006
Slackware Linux Inc.Unknown8-Dec-2006
Sun Microsystems, Inc.Unknown8-Dec-2006
SUSE LinuxUnknown8-Dec-2006
The SCO GroupUnknown8-Dec-2006
Trustix Secure LinuxUnknown8-Dec-2006
TurbolinuxUnknown8-Dec-2006
UbuntuUnknown8-Dec-2006

References


http://secunia.com/advisories/23277/
http://madwifi.org/wiki/news/20061207...0-9-2-1-fixes-critical-security-issue
http://madwifi.org/changeset/1842
http://lists.immunitysec.com/pipermail/dailydave/2006-December/003888.html

Credit

Thanks to the Madwifi Team for providing information about this vulnerability.

This document was written by Ryan Giobbi.

Other Information

Date Public:2006-12-07
Date First Published:2006-12-08
Date Last Updated:2007-01-10
CERT Advisory: 
CVE-ID(s):CVE-2006-6332
NVD-ID(s):CVE-2006-6332
US-CERT Technical Alerts: 
Metric:3.37
Document Revision:34

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader