Critical error in madwifi driver
Versions of the madwifi driver (a Linux and BSD driver for WLAN cards with Atheros chips) prior to the current version 0.9.2 are, under certain circumstances, vulnerable to remote exploits. If it searches for access points in client mode, an attacker, pretending to be an AP, can inject external code via the wireless connection and execute it in the kernel context.
This works, for example, with madwifi itself, as the driver works in master mode as an AP as required. Because there is no workaround for the original stack overflow in two functions, the developers have released an interim bug-fixed version 0.9.2.1 and advise users to update as soon as possible. The next regular version, 0.9.3, should be released at the end of next week.
- HEADS UP: Security issue fixed in release 0.9.2.1 / r1842 - CVE-2006-6332, announcement on the madwifi list
- Madwifi < 0.9.2.1 remote buffer overflow vulnerability, security advisory from Butti, Razniewski and Tinnes