Apple Airport Extreme fails to properly process 802.11 frames

Overview

A vulnerability exists in the Apple AirPort Extreme wireless driver that may allow an attacker to crash a vulnerable system.

Description

The Apple AirPort Extreme adapter is an 802.11g compatible wireless adapter used in Apple OS X laptops and desktops.

A flaw exists in the way AirPort Extreme wireless drivers handle certain malformed 802.11 frames which may result in an out-of-bounds memory access. This flaw results in a vulnerability that could allow an attacker to cause a kernel panic on a vulnerable system.

To exploit this vulnerability an attacker would need to send a specially crafted 802.11 frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted, using wireless encryption (WEP/WPA) may not mitigate this vulnerability.

Per Apple Security Advisory 2007-01-25, the Core Duo version of Mac mini, MacBook, and MacBook Pro computers are affected by this vulnerability.

---

Impact

A remote unauthenticated attacker within 802.11 radio range may be able to create a denial-of-service condition by crashing a vulnerable system.

---

Solution

Upgrade
Apple has issued an upgrade to address this issue. See or Apple Security Advisory 2007-01-25 or AirPort Extreme Update 2007-001 for more details.

---

Disable the Affected Wireless Adapter
Until updates can be applied, turning off the wireless adapter can mitigate this vulnerability. To turn off the wireless card, follow the instructions found in Apple’s knowledgebase:

Turning AirPort off

Turn your AirPort Card off when you're in situations where radio communication may be prohibited, such as in an airplane or at a hospital.
1.\tOpen the Internet Connect application and click AirPort in the toolbar.
2.\tClick Turn AirPort Off.

If you have disabled the AirPort port in Network preferences, then your AirPort Card is already turned off. To disable the AirPort port, choose Network Port Configurations from the Show pop-up menu and deselect the AirPort checkbox.

---

Vendor Information

583552

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. __ Affected

Updated: January 29, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://lists.apple.com/archives/security-announce/2007/Jan/msg00001.html&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23583552 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://lists.apple.com/archives/security-announce/2007/Jan/msg00001.html&gt;
• <http://www.apple.com/support/downloads/airportextremeupdate2007001.html&gt;
• <http://en.wikipedia.org/wiki/AirPort#Airport_Extreme_Card&gt;
• <http://projects.info-pull.com/mokb/MOKB-30-11-2006.html&gt;
• <http://docs.info.apple.com/article.html?artnum=305031&gt;
• <http://docs.info.apple.com/article.html?artnum=106227&gt;
• <http://standards.ieee.org/getieee802/download/802.11g-2003.pdf&gt;
• <http://secunia.com/advisories/23159/&gt;

Acknowledgements

This issue was made public by LMH on the Month of Kernel Bugs website.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2006-6292
Severity Metric:	0.37 Date Public: