Vulnerability Note VU#730169

Atheros wireless network drivers may fail to properly handle malformed frames

Overview

Atheros wireless drivers fail to properly handle malformed wireless frames. This vulnerability may allow a remote, unauthenticated attacker to create a denial-of-service condition.

I. Description

Some versions of the Microsoft Windows drivers for Atheros 802.11 a/b/g wireless adapters fail to properly handle malformed frames. If a remote attacker within transmitting range of an affected wireless adapter sends a specially crafted frame to that adapter, they may be able to trigger this vulnerability.

This overflow occurs because the driver does not properly process management frames. An attacker within radio range may be able to trigger the overflow by sending a specially-crafted 802.11 management frame to a vulnerable system. Since 802.11b, 802.11g, and 802.11n management frames are not encrypted or authenticated, using wireless encryption (WEP/WPA) does not mitigate this vulnerability.

Note that Linux or Unix systems that use NDISWrapper or similar technologies to load the affected driver may also be vulnerable.

II. Impact

An unauthenticated, remote attacker may be able to create a denial-of-service condition.

III. Solution

Upgrade

Atheros has released an update (firmware versions 5.3.0.35 and 6.0.3.67 and later) to original equipment manufacturers to address this issue. Users should see the systems affected portion of this document for a partial list of affected vendors.

Disable the affected wireless adapter

Until updates can be applied, turning off the affected wireless adapter may mitigate this vulnerability.

Systems Affected

Vendor	Status	Date Updated
3com, Inc.	Unknown	16-May-2007
Alcatel	Unknown	16-May-2007
Apple Computer, Inc.	Unknown	16-May-2007
Atheros Communications, Inc.	Vulnerable	11-May-2007
AT&T	Unknown	16-May-2007
Avaya, Inc.	Unknown	16-May-2007
Avici Systems, Inc.	Unknown	16-May-2007
Borderware Technologies	Unknown	16-May-2007
Charlotte's Web Networks	Unknown	16-May-2007
Check Point Software Technologies	Unknown	16-May-2007
Chiaro Networks, Inc.	Unknown	16-May-2007
Cisco Systems, Inc.	Unknown	11-May-2007
Clavister	Unknown	16-May-2007
Computer Associates	Unknown	16-May-2007
Conectiva Inc.	Unknown	16-May-2007
Cray Inc.	Unknown	16-May-2007
D-Link Systems, Inc.	Unknown	11-May-2007
Data Connection, Ltd.	Unknown	16-May-2007
Debian GNU/Linux	Unknown	16-May-2007
Dell Computer Corporation, Inc.	Unknown	5-Mar-2007
EMC, Inc. (formerly Data General Corporation)	Unknown	16-May-2007
Engarde Secure Linux	Unknown	16-May-2007
Ericsson	Unknown	16-May-2007
eSoft, Inc.	Unknown	16-May-2007
Extreme Networks	Unknown	16-May-2007
F5 Networks, Inc.	Unknown	16-May-2007
Fedora Project	Unknown	16-May-2007
Force10 Networks, Inc.	Unknown	16-May-2007
Fortinet, Inc.	Unknown	16-May-2007
Foundry Networks, Inc.	Unknown	16-May-2007
FreeBSD, Inc.	Unknown	16-May-2007
Fujitsu	Unknown	16-May-2007
Gentoo Linux	Unknown	16-May-2007
Global Technology Associates	Unknown	16-May-2007
Hewlett-Packard Company	Unknown	5-Mar-2007
Hitachi	Unknown	16-May-2007
Hyperchip	Unknown	16-May-2007
IBM Corporation	Unknown	5-Mar-2007
IBM Corporation (zseries)	Unknown	16-May-2007
IBM eServer	Unknown	16-May-2007
Immunix Communications, Inc.	Unknown	16-May-2007
Ingrian Networks, Inc.	Unknown	16-May-2007
Intel Corporation	Unknown	16-May-2007
Internet Security Systems, Inc.	Unknown	16-May-2007
Intoto	Unknown	16-May-2007
IP Filter	Unknown	16-May-2007
Juniper Networks, Inc.	Unknown	16-May-2007
Linksys (A division of Cisco Systems)	Unknown	16-May-2007
Lucent Technologies	Unknown	16-May-2007
Luminous Networks	Unknown	16-May-2007
Mandriva, Inc.	Unknown	16-May-2007
Microsoft Corporation	Unknown	16-May-2007
MontaVista Software, Inc.	Unknown	16-May-2007
Multinet (owned Process Software Corporation)	Unknown	16-May-2007
Multitech, Inc.	Unknown	16-May-2007
NEC Corporation	Unknown	5-Mar-2007
NetBSD	Unknown	16-May-2007
netfilter	Unknown	16-May-2007
Network Appliance, Inc.	Unknown	16-May-2007
NextHop Technologies, Inc.	Unknown	16-May-2007
Nokia	Unknown	16-May-2007
Nortel Networks, Inc.	Unknown	16-May-2007
Novell, Inc.	Unknown	16-May-2007
OpenBSD	Unknown	16-May-2007
Openwall GNU/*/Linux	Unknown	16-May-2007
Philips Electronics	Unknown	16-May-2007
QNX, Software Systems, Inc.	Unknown	16-May-2007
Red Hat, Inc.	Unknown	16-May-2007
Redback Networks, Inc.	Unknown	16-May-2007
Riverstone Networks, Inc.	Unknown	16-May-2007
Secure Computing Network Security Division	Not Vulnerable	24-May-2007
Secureworx, Inc.	Unknown	16-May-2007
Silicon Graphics, Inc.	Unknown	16-May-2007
Slackware Linux Inc.	Unknown	16-May-2007
Sony Corporation	Unknown	5-Mar-2007
Stonesoft	Unknown	16-May-2007
Sun Microsystems, Inc.	Not Vulnerable	20-May-2007
SUSE Linux	Unknown	16-May-2007
Symantec, Inc.	Unknown	16-May-2007
The SCO Group	Unknown	16-May-2007
Toshiba	Unknown	5-Mar-2007
TRENDnet	Unknown	16-May-2007
Trustix Secure Linux	Unknown	16-May-2007
Turbolinux	Unknown	16-May-2007
Ubuntu	Unknown	16-May-2007
Unisys	Unknown	16-May-2007
Watchguard Technologies, Inc.	Unknown	16-May-2007
Wind River Systems, Inc.	Unknown	16-May-2007
ZyXEL	Unknown	16-May-2007

References

http://www.atheros.com/contact/index.html
http://standards.ieee.org/announcements/pr_frames.html
http://standards.ieee.org/getieee802/download/802.11-1999.pdf
http://secunia.com/advisories/26348/

Credit

Thanks to Nicholas Krasny of IBM Managed Security Services for information about this vulnerability and to Jeremy Kelley for reporting.

This document was written by Ryan Giobbi.

Other Information

Date Public	08/01/2007
Date First Published	08/01/2007 06:09:09 AM
Date Last Updated	08/14/2007
CERT Advisory
CVE Name	CVE-2007-2927
Metric	0.77
Document Revision	25