Detections
Analytics

Scientific Linux Security Update : madwifi on SL5.x, SL4.x i386/x86_64

high Nessus Plugin ID 60188

Language:

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

Madwifi 0.9.3.1 Release note:
http://madwifi.org/wiki/news/20070523/release-0-9-3-1-fixes-three-secu rity-issue

Security fixes in 0.9.3.1 :

 - http://madwifi.org/ticket/1270 In the madwifi/ath component if_ath.c handles the beacon configuration related initialization task both for clients and aps in the function ath_beacon_config(). The function uses macro 'howmany' which performs divide operation. The macro is used without ensuring that the argument(denominator 'intval') could be zero. The divide by zero condition can be triggered externally using a malformed packet.

 - http://madwifi.org/ticket/1335 There is a vulnerability in packet parsing code whereby a remote attacker can craft a malicious packet that will DoS the system. Due to improper sanitization of nested 802.3 Ethernet frame length fields in Fast Frame packets, the MadWifi driver is vulnerable to a remote kernel denial of service. The problem is that the frame length is read directly from the attackers packet without validation. The attacker can specify a length so that after the skb_pull operation skb1 is less than sizeof(ethernet_header).
 When skb_pull is called again on skb1 in athff_decap it will return NULL. This results in a NULL dereference later on in the function.

 - http://madwifi.org/ticket/1334 A restricted local user can make an unprivileged I/O control call to the driver's ieee80211_ioctl_getwmmparams. This function accepts an array index from the user, which is validated incorrectly. The function checks that the index supplied by the user is less than a maximum value, but does not check if the index is less than 0. A local attacker can specify a large negative number which will pass the check, and cause an error in the array dereference.

NOTE: The version number 0.9.3.1 is actually lower than the version number shipped in Scientific Linux 4.x. This is correct. This really is the latest version of madwifi. We have adjusted the rpm's so that they can handle this.

Solution

Update the affected packages.

See Also

http://madwifi.org/ticket/1270

http://madwifi.org/ticket/1334

http://madwifi.org/ticket/1335

http://www.nessus.org/u?466a3814

http://www.nessus.org/u?630eb4a6

Plugin Details

Severity: High

ID: 60188

File Name: sl_20070523_madwifi_on_SL5_x.nasl

Version: 1.5

Type: local

Agent: unix

Published: 8/1/2012

Updated: 1/14/2021

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 5/23/2007