Apple Airport Extreme fails to properly process 802.11 frames

2007-02-02T00:00:00
ID VU:583552
Type cert
Reporter CERT
Modified 2007-02-02T00:00:00

Description

Overview

A vulnerability exists in the Apple AirPort Extreme wireless driver that may allow an attacker to crash a vulnerable system.

Description

The Apple AirPort Extreme adapter is an 802.11g compatible wireless adapter used in Apple OS X laptops and desktops.

A flaw exists in the way AirPort Extreme wireless drivers handle certain malformed 802.11 frames which may result in an out-of-bounds memory access. This flaw results in a vulnerability that could allow an attacker to cause a kernel panic on a vulnerable system.

To exploit this vulnerability an attacker would need to send a specially crafted 802.11 frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted, using wireless encryption (WEP/WPA) may not mitigate this vulnerability.

Per Apple Security Advisory 2007-01-25, the Core Duo version of Mac mini, MacBook, and MacBook Pro computers are affected by this vulnerability.


Impact

A remote unauthenticated attacker within 802.11 radio range may be able to create a denial-of-service condition by crashing a vulnerable system.


Solution

Upgrade
Apple has issued an upgrade to address this issue. See or Apple Security Advisory 2007-01-25 or AirPort Extreme Update 2007-001 for more details.


Disable the Affected Wireless Adapter
Until updates can be applied, turning off the wireless adapter can mitigate this vulnerability. To turn off the wireless card, follow the instructions found in Apple's knowledgebase:

Turning AirPort off

Turn your AirPort Card off when you're in situations where radio communication may be prohibited, such as in an airplane or at a hospital.
1. Open the Internet Connect application and click AirPort in the toolbar.
2. Click Turn AirPort Off.

If you have disabled the AirPort port in Network preferences, then your AirPort Card is already turned off. To disable the AirPort port, choose Network Port Configurations from the Show pop-up menu and deselect the AirPort checkbox.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Apple Computer, Inc.| | -| 29 Jan 2007
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://lists.apple.com/archives/security-announce/2007/Jan/msg00001.html>
  • <http://www.apple.com/support/downloads/airportextremeupdate2007001.html>
  • <http://en.wikipedia.org/wiki/AirPort#Airport_Extreme_Card>
  • <http://projects.info-pull.com/mokb/MOKB-30-11-2006.html>
  • <http://docs.info.apple.com/article.html?artnum=305031>
  • <http://docs.info.apple.com/article.html?artnum=106227>
  • <http://standards.ieee.org/getieee802/download/802.11g-2003.pdf>
  • <http://secunia.com/advisories/23159/>

Credit

This issue was made public by LMH on the Month of Kernel Bugs website.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2006-6292
  • Date Public: 30 Nov 2006
  • Date First Published: 02 Feb 2007
  • Date Last Updated: 02 Feb 2007
  • Severity Metric: 0.37
  • Document Revision: 13