===================================================================== CERT-Renater Note d'Information No. 2006/VULN017 _____________________________________________________________________ DATE : 19/01/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : FreeBSD 6.0 running IEEE 802.11 network. ====================================================================== ============================================================================= FreeBSD-SA-06:05.80211 Security Advisory The FreeBSD Project Topic: IEEE 802.11 buffer overflow Category: core Module: net80211 Announced: 2006-01-18 Credits: Karl Janmar Affects: FreeBSD 6.0 Corrected: 2006-01-18 09:03:15 UTC (RELENG_6, 6.0-STABLE) 2006-01-18 09:03:36 UTC (RELENG_6_0, 6.0-RELEASE-p3) CVE Name: CVE-2006-0226 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The IEEE 802.11 network subsystem of FreeBSD implements the protocol negotiation used for wireless networking. II. Problem Description An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. III. Impact An attacker able broadcast a carefully crafted beacon or probe response frame may be able to execute arbitrary code within the context of the FreeBSD kernel on any system scanning for wireless networks. IV. Workaround No workaround is available, but systems without IEEE 802.11 hardware or drivers loaded are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - ------------------------------------------------------------------------- RELENG_6 src/sys/net80211/ieee80211_ioctl.c 1.25.2.9 RELENG_6_0 src/UPDATING 1.416.2.3.2.8 src/sys/conf/newvers.sh 1.69.2.8.2.4 src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.1 - - ------------------------------------------------------------------------- VII. References http://www.signedness.org/advisories/sps-0x1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0226 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211.asc ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================