Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Nov 2013 20:36:01 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ath9k_htc improperly updates MAC
 address

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/14/2013 03:03 PM, Mathy Vanhoef wrote:
> Hi,
> 
> 
> 
> This concerns a bug in the ath9k_htc driver: When a user
> changes/spoofs their MAC address, an attacker can retrieve the
> original MAC address, which is a potential privacy risk. Debian bug
> report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729573

Nifty, please use CVE-2013-4579 for this issue.

> 
> Background of the bug: 
> http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html
>
> 
> 
> 
> The cause of the bug is in ath9k_htc_set_bssid_mask [1]. Here the
> MAC address of one of the virtual interfaces should be picked as
> the new main MAC address of the device. However the main MAC
> address (stored in common->macaddr) is never updated. The ath9k
> does implement this properly and sets the main MAC address to the
> MAC address of one of the virtual interfaces (by first writing it
> to iter_data->hw_macaddr and then copying it over to
> common->macaddr [2]). Note that ath_hw_setbssidmask updates the
> main MAC address register for both the ath9k and ath9k_htc drivers
> [3].
> 
> 
> 
> Can a CVE please be assigned?
> 
> 
> 
> Cheers,
> 
> Mathy
> 
> 
> 
> 
> 
> [1] 
> <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv
>
> 
_main.c?a=microblaze#L145>
> http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv_
>
> 
main.c?a=microblaze#L145
> 
> [2] 
> <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c#
>
> 
L831>
> http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c#L
>
> 
831
> 
> [3] 
> <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118>
>
> 
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118
> 
> 
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJShZahAAoJEBYNRVNeJnmTrY8QAKqpmcLHP4uKj0G5XJa6kim/
flveF69o9xzumM3Is+CYhA4XXzvVp7ibFIXgUKLc8TjNX7K7xJ/KssIrOw34SlG9
vX4oXSvtHFDgvteF/ZzRwe/yfxtJH9EN2T8vHSUUNgkJxmmE31R5SWIcVQRHHH9Z
yn6JxnTWSTs+fsme7j80hsrIXWQghdDTz38BAyCKM4QysV74Ke6aaFljeK/zwJxK
wDIr0CMwTnApjzq1jNnqApuM41K9qCQFp/1U5XrWmbFXoj8N+wq2TWQug9Xpxgpw
0+c4U2sqDR4Ea/OyCT8C8EYzhX1UPzSCDEKAs77FIFvslbNI8VwHs9jDKqk6RaJ5
igSbD5GIZ5islRJgVT18jWZPHVyaZKKo9LVxO7xQjowi0oVMWMLQuyXQqtone5ox
QyBnI4Aiuou57RfTB+/8pNBtZmbDJZ/AKpAyjMDxGO1DzY10pk1DgqGj7c0DmCtH
HTAQvbgSRoOGj1+cYEDKOSOeXLGrZrbBec2HTfVksynLNhyXWC5Vh6FwqtZXFMcK
fyxnojR2AQj7uDY+GOEvtTtsEtAsLKuYgtn7jQc1ZoMnwMQk1ATYWvQ1bMnWuWeG
k1A9VSGZTTGMisrRHIQbds0RVG5AqoyU6/G+9caDFQ5plJ8chGNQbi92VBS4ucWe
AZy1SPy46ESrMNSXG4cx
=N2nW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ