Security hole in ndiswrapper for Linux
A flaw in ndiswrapper's Windows Wi-Fi driver support compromises the security of Linux systems. It is caused by a buffer overflow, triggered when an extremely long Extended Service Set IDentifier (ESSID) is processed. According to the security notice it is sufficient for an attacker to be within range of a vulnerable client and send specially crafted packets. A security report from Ubuntu says this allows code to be injected into a system and executed at kernel privilege level.
Gentoo's error database, on the other hand, only talks about system crashes. Mandriva already updated its ndiswrapper module last week; whether the update also corrects the current problem is not mentioned in the advisory.
The affected code is in ndiswrapper version 1.53, as found, for example, in Ubuntu's 2.6.27 kernel. Installing the updated distribution packages solves the problem. A patch released by the developers of ndiswrapper is available for its source code, which also closes the hole.
The ndiswrapper module isn't an official component of the Linux kernel and needs to be added separately by the distributor or user. The kernel developers and the ndiswrapper developers have also had occasional licensing disagreements. Despite those disagreements, users with the very latest Wi-Fi hardware often need to fall back on ndiswrapper to implement their Windows drivers for occasions when the Linux developers haven't developed or released their own drivers.
- Linux kernel vulnerabilities, Ubuntu security notice
- net-wireless/ndiswrapper <1.53-r1 overflow leading to kernel DoS, description in Gentoo's bug database
- MDVSA-2008:223, advisory by Mandriva