Security Vulnerablilites in the MadWifi Driver
This page intends to give an overview of security-related issues that have been reported in the past for MadWifi.
Current Status
2007-10-18: The current MadWifi release is v0.9.3.3, for which no security-related issues are known.
Past security issues
| CVE ID: | CVE- |
| Summary: | Allows remote attackers to cause a denial of service (panic) via a beacon frame with a large length value in the extended supported rates (xrates) element, which triggers an assertion error. |
| Confirmed by: | release announcement |
| Fixed in changeset: | r2724 (trunk), r2749 (releases/0.9.3) |
| Fixed in release: | v0.9.3.3 |
| CVE ID: | CVE- |
| Summary: | The beacon interval information that is gathered while scanning for Access Points is not properly validated. This could be exploited from remote to cause a DoS due to a "division by zero" exception. |
| Confirmed by: | #1270 |
| Fixed in changeset: | r2348 (trunk), r2366 (tags/release-0.9.3.1) |
| Fixed in release: | v0.9.3.1 |
| CVE ID: | CVE- |
| Summary: | The code which parses fast frames and 802.3 frames embedded therein does not properly validate the size parameters in such frames. This could be exploited from remote to cause a DoS due to a NULL-pointer dereference. |
| Confirmed by: | #1335 |
| Fixed in changeset: | r2296 (trunk), r2366 (tags/release-0.9.3.1) |
| Fixed in release: | v0.9.3.1 |
| CVE ID: | CVE- |
| Summary: | A restricted local user could pass invalid data to two ioctl handlers, causing a DoS due to access being made to invalid addresses. Chances are that this issue also might allow read and/or write access to kernel memory; this has not yet been verified. |
| Confirmed by: | #1334 |
| Fixed in changeset: | r2280 (trunk), r2366 (tags/release-0.9.3.1) |
| Fixed in release: | v0.9.3.1 |
| CVE ID: | CVE- |
| Summary: | ieee80211_output.c in MadWifi before 0.9.3 sends unencrypted packets before WPA authentication succeeds, which allows remote attackers to obtain sensitive information (related to network structure), and possibly cause a denial of sevice (disrupted authentication) and conduct spoofing attacks. |
| Confirmed by: | #967 |
| Fixed in changeset: | r1760 |
| Fixed in release: | v0.9.3 |
| CVE ID: | CVE- |
| Summary: | ieee80211_input.c in MadWifi before 0.9.3 does not properly process Channel Switch Announcement Information Elements (CSA IEs), which allows remote attackers to cause a denial of service (loss of communication) via a Channel Switch Count less than or equal to one, triggering a channel change. |
| Confirmed by: | #963 |
| Fixed in changeset: | r1762 |
| Fixed in release: | v0.9.3 |
| CVE ID: | CVE- CVE- |
| Summary: | MadWifi before 0.9.3 does not properly handle reception of an AUTH frame by an IBSS node, which allows remote attackers to cause a denial of service (system crash) via a certain AUTH frame. MadWifi, when Ad-Hoc mode is used, allows remote attackers to cause a denial of service (system crash) via unspecified vectors that lead to a kernel panic in the ieee80211_input function, related to "packets coming from a 'malicious' WinXP system. |
| Confirmed by: | #880 |
| Fixed in changeset: | r1818 |
| Fixed in release: | v0.9.3 |
| CVE ID: | CVE- |
| Summary: | Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWifi before 0.9.2.1 allows remote attackers to execute arbitrary code via unspecified vectors, related to the encode_ie and giwscan_cb functions. |
| Confirmed by: | release-0-9-2-1-fixes-critical-security-issue |
| Fixed in changesets: | r1842 r1847 |
| Fixed in releases: | v0.9.3 v0.9.2.1 |
| CVE ID: | CVE- |
| Summary: | The ath_rate_sample function in the ath_rate/sample/sample.c sample code in MadWifi before 0.9.3 allows remote attackers to cause a denial of service (failed KASSERT and system crash) by moving a connected system to a location with low signal strength, and possibly other vectors related to a race condition between interface enabling and packet transmission. |
| Confirmed by: | #287 |
| Fixed in changeset: | before r1705 (see #287 for details) |
| Fixed in release: | v0.9.3 |
