Linksys WAP4400N Marvell无线88W8361P-BEM1芯片组驱动远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184962 漏洞类型 输入验证
发布时间 2008-10-13 更新时间 2008-10-16
CVE编号 CVE-2008-4441 CNNVD-ID CNNVD-200810-229
漏洞平台 N/A CVSS评分 7.1
|漏洞来源
https://www.securityfocus.com/bid/31742
https://cxsecurity.com/issue/WLB-2008100156
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-229
|漏洞详情
LinksysWAP4400N是一款小型的无线路由器。安装了MARVELL88W8361P-BEM1芯片组的LinksysWAP4400N路由器没有正确地处理过短的畸形关联请求,远程攻击者可以通过发送恶意的802.11帧导致路由器崩溃。仅在接入点处于WEP模式且关联请求中包含有WEP标记时才可以利用这个漏洞。
|漏洞EXP
Title:
------
* Marvell Driver Malformed Association Request Vulnerability

Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
MARVELL-based Linksys WAP4400N) do not correctly parse some malformed
802.11 frames.

Assigned CVE:
-------------
* CVE-2008-4441

Details:
--------
* The bug can be triggered thanks to a malformed association request
which is typically too short (truncated). Any association request sent
in the air by the attacker will be parsed by the access point wireless
driver and thus may trigger some implementation bugs. This bug is only
triggerable when the access point is in WEP mode and if the association
request contains the WEP flag.

Attack Impact:
--------------
* Denial-of-service (reboot or hang-up) and possibly remote arbitrary
code execution

Attack Vector:
--------------
* Unauthenticated wireless device

Timeline:
---------
* 2008-05-26 - Vulnerability reported to Linksys
* 2008-05-26 - Full details sent to Linksys
* 2008-10-13 - Public disclosure

Affected Products:
------------------
* Linksys WAP4400N (firmware v1.2.14) with MARVELL 88W8361P-BEM1 chipset

Vulnerable Devices:
-------------------
* As it is a wireless driver specific issue, the wireless vendor should
use the latest chipset wireless driver for their access point firmwares.
This security vulnerability was reported to Linksys, updated firmwares
(such as the 1.2.17 firmware) should be available on their web site. Any
other wireless device relying on this vulnerable wireless driver is
likely to be vulnerable.

Credits:
--------
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
|受影响的产品
Marvell Semiconductor 88W8361P-BEM1 chipset 0 Linksys WAP4400N 1.2.14
|参考资料

来源:XF
名称:linksys-wap4400n-request-dos(45841)
链接:http://xforce.iss.net/xforce/xfdb/45841
来源:BID
名称:31742
链接:http://www.securityfocus.com/bid/31742
来源:BUGTRAQ
名称:20081013MarvellDriverMalformedAssociationRequestVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/497285/100/0/threaded
来源:VUPEN
名称:ADV-2008-2805
链接:http://www.frsirt.com/english/advisories/2008/2805
来源:SREASON
名称:4400
链接:http://securityreason.com/securityalert/4400
来源:SECUNIA
名称:32259
链接:http://secunia.com/advisories/32259