Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                         ESB-2006.0903 -- [Linux]
   Linux "madwifi" Atheros wireless driver buffer overflow vulnerability
                             12 December 2006


        AusCERT Security Bulletin Summary

Product:              Madwifi driver
Publisher:            US-CERT
Operating System:     Linux variants
Impact:               Root Compromise
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-6332

Original Bulletin:    http://www.kb.cert.org/vuls/id/925529

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#925529
Madwifi wireless driver buffer overflow vulnerability


	A buffer overflow vulnerability exists in the Madwifi wireless driver.
	If successfully exploited, an attacker may be able to execute arbitrary
	code, or cause a denial-of-service condition.

I. Description

	The Madwifi driver is a Linux kernel device driver for Atheros-based
	802.11 a/b/g compatible wireless LAN adapters. Linux distributions
	may include the Madwifi driver in their default installation, or as
	an optional package. Commercial access points and networking equipment
	may also use the Madwifi driver.

	A buffer overflow vulnerability has been discovered in the Madwifi
	driver. This overflow occurs because the driver does not properly
	process the information element part of probe response management
	frames. An attacker within radio range may be able to trigger the
	overflow by sending a specially-crafted 802.11 management frame to a
	vulnerable system. Since 802.11b and 802.11g management frames are
	not encrypted or authenticated, using wireless encryption (WEP/WPA)
	does not mitigate this vulnerability.

	This vulnerability, and the patch, are documented in Madwifi's Changeset
	1842: http://madwifi.org/changeset/1842

II. Impact

	A remote, unauthenticated attacker within 802.11 radio range may be
	able to execute arbitrary code with kernel privileges, or cause a
	denial-of-service condition.

III. Solution

	The madwifi team has released an upgrade that addresses this issue.
	Users who do not compile their kernel from source should see the
	systems affected portion of this document for information about
	specific vendors.

Systems Affected

	Vendor	Status	Date Updated
	Conectiva Inc.	Unknown	8-Dec-2006
	Debian GNU/Linux	Not Vulnerable	11-Dec-2006
	Engarde Secure Linux	Unknown	8-Dec-2006
	Fedora Project	Not Vulnerable	11-Dec-2006
	Gentoo Linux	Vulnerable	11-Dec-2006
	Hewlett-Packard Company	Unknown	8-Dec-2006
	IBM Corporation (zseries)	Unknown	8-Dec-2006
	IBM eServer	Unknown	8-Dec-2006
	Immunix Communications, Inc.	Unknown	8-Dec-2006
	Ingrian Networks, Inc.	Unknown	8-Dec-2006
	MadWifi	Vulnerable	8-Dec-2006
	Mandriva, Inc.	Unknown	8-Dec-2006
	MontaVista Software, Inc.	Unknown	8-Dec-2006
	Novell, Inc.	Unknown	8-Dec-2006
	Openwall GNU/*/Linux	Not Vulnerable	11-Dec-2006
	Red Hat, Inc.	Not Vulnerable	11-Dec-2006
	Slackware Linux Inc.	Unknown	8-Dec-2006
	Sun Microsystems, Inc.	Unknown	8-Dec-2006
	SUSE Linux	Unknown	8-Dec-2006
	The SCO Group	Unknown	8-Dec-2006
	Trustix Secure Linux	Unknown	8-Dec-2006
	Turbolinux	Unknown	8-Dec-2006
	Ubuntu	Unknown	8-Dec-2006




	Thanks to the Madwifi Team for providing information about this vulnerability.

	This document was written by Ryan Giobbi.
	Other Information
	Date Public	12/07/2006
	Date First Published	12/08/2006 01:33:50 PM
	Date Last Updated	12/11/2006
	CERT Advisory	 
	CVE Name	CVE-2006-6332
	Metric	0.26
	Document Revision	28

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967