Scientific Linux Security Update : madwifi on SL5.x, SL4.x i386/x86_64

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

Madwifi 0.9.3.1 Release note:
http://madwifi.org/wiki/news/20070523/release-0-9-3-1-fixes-three-secu
rity-issue

Security fixes in 0.9.3.1 :

- http://madwifi.org/ticket/1270 In the madwifi/ath
component if_ath.c handles the beacon configuration
related initialization task both for clients and aps in
the function ath_beacon_config(). The function uses
macro 'howmany' which performs divide operation. The
macro is used without ensuring that the
argument(denominator 'intval') could be zero. The divide
by zero condition can be triggered externally using a
malformed packet.

- http://madwifi.org/ticket/1335 There is a vulnerability
in packet parsing code whereby a remote attacker can
craft a malicious packet that will DoS the system. Due
to improper sanitization of nested 802.3 Ethernet frame
length fields in Fast Frame packets, the MadWifi driver
is vulnerable to a remote kernel denial of service. The
problem is that the frame length is read directly from
the attackers packet without validation. The attacker
can specify a length so that after the skb_pull
operation skb1 is less than sizeof(ethernet_header).
When skb_pull is called again on skb1 in athff_decap it
will return NULL. This results in a NULL dereference
later on in the function.

- http://madwifi.org/ticket/1334 A restricted local user
can make an unprivileged I/O control call to the
driver's ieee80211_ioctl_getwmmparams. This function
accepts an array index from the user, which is validated
incorrectly. The function checks that the index supplied
by the user is less than a maximum value, but does not
check if the index is less than 0. A local attacker can
specify a large negative number which will pass the
check, and cause an error in the array dereference.

NOTE: The version number 0.9.3.1 is actually lower than the version
number shipped in Scientific Linux 4.x. This is correct. This really
is the latest version of madwifi. We have adjusted the rpm's so that
they can handle this.

See also :

http://www.nessus.org/u?07188c45
http://madwifi.org/ticket/1270
http://madwifi.org/ticket/1334
http://madwifi.org/ticket/1335
http://www.nessus.org/u?466a3814

Solution :

Update the affected packages.

Risk factor :

High

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 60188 ()

Bugtraq ID:

CVE ID: