Madwifi wireless driver buffer overflow vulnerability

Overview

A buffer overflow vulnerability exists in the Madwifi wireless driver. If successfully exploited, an attacker may be able to execute arbitrary code, or cause a denial-of-service condition.

Description

The Madwifi driver is a Linux kernel device driver for Atheros-based 802.11 a/b/g compatible wireless LAN adapters. Linux distributions may include the Madwifi driver in their default installation, or as an optional package. Commercial access points and networking equipment may also use the Madwifi driver.

A buffer overflow vulnerability has been discovered in the Madwifi driver. This overflow occurs because the driver does not properly process the information element part of probe response management frames. An attacker within radio range may be able to trigger the overflow by sending a specially-crafted 802.11 management frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted or authenticated, using wireless encryption (WEP/WPA) does not mitigate this vulnerability.

This vulnerability, and the patch, are documented in Madwifi’s Changeset 1842:

---

Impact

A remote, unauthenticated attacker within 802.11 radio range may be able to execute arbitrary code with kernel privileges, or cause a denial-of-service condition.

---

Solution

Upgrade

The madwifi team has released an upgrade that addresses this issue. Users who do not compile their kernel from source should see the systems affected portion of this document for information about specific vendors.

Note that third party software repositories may also contain vulnerable versions of the Madwifi driver.

---

Vendor Information

925529

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Gentoo Linux __ Affected

Notified: December 08, 2006 Updated: December 11, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.gentoo.org/security/en/glsa/glsa-200612-09.xml&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23925529 Feedback>).

MadWifi Affected

Updated: December 08, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. __ Affected

Notified: December 08, 2006 Updated: December 16, 2006

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.novell.com/linux/security/advisories/2006_74_madwifi.html&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23925529 Feedback>).

Debian GNU/Linux Not Affected

Notified: December 08, 2006 Updated: December 11, 2006

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Not Affected

Notified: December 08, 2006 Updated: December 11, 2006

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: December 08, 2006 Updated: December 11, 2006

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We do not provide the Madwifi wireless driver.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Not Affected

Notified: December 08, 2006 Updated: December 11, 2006

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu Unknown

Notified: December 08, 2006 Updated: December 08, 2006

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 23 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://secunia.com/advisories/23277/&gt;
• <http://madwifi.org/wiki/news/20061207...0-9-2-1-fixes-critical-security-issue&gt;
• <http://madwifi.org/changeset/1842&gt;
• <http://lists.immunitysec.com/pipermail/dailydave/2006-December/003888.html&gt;

Acknowledgements

Thanks to the Madwifi Team for providing information about this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2006-6332
Severity Metric:	3.37 Date Public: