Menu

Database

Atheros driver for Windows malformed frame handling

WVE ID: WVE-2007-0012

Type: Vulnerability

Status: Candidate

Classification:
Input Manipulation

Description:
The Atheros driver for Windows systems does not properly handle malformed frames, allowing a remote attacker to execute arbitrary code on a vulnerable system.

Discussion:
The Atheros driver for Windows XP and Vista systems does not properly handle malformed IEEE 802.11 management frames, which allows a remote attacker to trigger a DoS condition, and remote code execution on vulnerable systems.

Multiple management frames types including beacon and probe response frames can trigger this vulnerability through malformed tagged information element data,

Since the vulnerability is in IEEE 802.11 management frames, WPA, WPA2 and WEP encryption mechanisms do not mitigate this vulnerability as these mechanisms do not apply to management frames. Pre-standard IEEE 802.11w mechanisms such as Management Frame Protection (MFP) also do not mitigate this vulnerability, since the management frames that trigger the vulnerability are not protected with 802.11w/MFP.

Affected drivers include the Atheros Wireless Driver versions prior to 5.3.0.35 and Atheros Wireless Driver versions prior to 6.0.3.67. Since this Atheros driver is a reference implementation that has been adopted by multiple hardware vendors, it is believed that many vendors are vulnerable to this vulnerability. Affected organizations should contact their card manufacturers for an updated driver that resolves these flaws.

Organizations can assess their exposure to this threat with the free WiFiDEnum wireless driver vulnerability assessment tool, identified in the references section of this entry.

Credits
Author: Nicholas Krasny : IBM Managed Security Services

Author: Jeremy Kelley : IBM Managed Security Services

References
URL: http://labs.arubanetworks.com/wifidenum/
URL: http://www.frsirt.com/english/advisories/2007/2756
URL: http://www.kb.cert.org/vuls/id/730169
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2927

Released: 2007-08-01

Submitter
Joshua Wright (jwright@arubanetworks.com) : Aruba Networks

Submitted: Mon Aug 13 06:47:21 -0700 2007

Candidate Date: Tue Aug 21 11:10:23 -0700 2007


Recent Entries

TKIP Replay and Plaintext Discovery
WVE-2008-0013 11/18/2008
Active Https Cookie Hijacking
WVE-2008-0012 9/18/2008
Auto Immune Attack
WVE-2008-0011 9/17/2008
Marvell Null SSID Association Request
WVE-2008-0010 9/15/2008
Marvell EAPOL-Key Length Overflow
WVE-2008-0009 9/15/2008
Atheros IE Tag Overflow
WVE-2008-0008 9/15/2008
Weaknesses in the A5/1 Cipher
WVE-2008-0007 4/9/2008
Block ACK DoS
WVE-2008-0006 4/9/2008
GF Mode WIDS Rogue AP Evasion
WVE-2008-0005 4/9/2008
HT Intolerant Degradation of Service
WVE-2008-0004 4/9/2008
More Entries...

News

SANS Institute Sponsors WVE
4/19/2008
Wireless Attackers and Honeypot Technology
4/15/2008
High Speed Risks in 802.11n Slides Posted
4/11/2008
Vulnerabilities in 802.11n
4/9/2008
WVE Editors Speaking at SHARKFEST.08
1/3/2008
More News...