Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <528596A1.4030403@redhat.com>
Date: Thu, 14 Nov 2013 20:36:01 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ath9k_htc improperly updates MAC
 address

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/14/2013 03:03 PM, Mathy Vanhoef wrote:
> Hi,
> 
> 
> 
> This concerns a bug in the ath9k_htc driver: When a user
> changes/spoofs their MAC address, an attacker can retrieve the
> original MAC address, which is a potential privacy risk. Debian bug
> report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729573

Nifty, please use CVE-2013-4579 for this issue.

> 
> Background of the bug: 
> http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html
>
> 
> 
> 
> The cause of the bug is in ath9k_htc_set_bssid_mask [1]. Here the
> MAC address of one of the virtual interfaces should be picked as
> the new main MAC address of the device. However the main MAC
> address (stored in common->macaddr) is never updated. The ath9k
> does implement this properly and sets the main MAC address to the
> MAC address of one of the virtual interfaces (by first writing it
> to iter_data->hw_macaddr and then copying it over to
> common->macaddr [2]). Note that ath_hw_setbssidmask updates the
> main MAC address register for both the ath9k and ath9k_htc drivers
> [3].
> 
> 
> 
> Can a CVE please be assigned?
> 
> 
> 
> Cheers,
> 
> Mathy
> 
> 
> 
> 
> 
> [1] 
> <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv
>
> 
_main.c?a=microblaze#L145>
> http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv_
>
> 
main.c?a=microblaze#L145
> 
> [2] 
> <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c#
>
> 
L831>
> http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c#L
>
> 
831
> 
> [3] 
> <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118>
>
> 
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118
> 
> 
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJShZahAAoJEBYNRVNeJnmTrY8QAKqpmcLHP4uKj0G5XJa6kim/
flveF69o9xzumM3Is+CYhA4XXzvVp7ibFIXgUKLc8TjNX7K7xJ/KssIrOw34SlG9
vX4oXSvtHFDgvteF/ZzRwe/yfxtJH9EN2T8vHSUUNgkJxmmE31R5SWIcVQRHHH9Z
yn6JxnTWSTs+fsme7j80hsrIXWQghdDTz38BAyCKM4QysV74Ke6aaFljeK/zwJxK
wDIr0CMwTnApjzq1jNnqApuM41K9qCQFp/1U5XrWmbFXoj8N+wq2TWQug9Xpxgpw
0+c4U2sqDR4Ea/OyCT8C8EYzhX1UPzSCDEKAs77FIFvslbNI8VwHs9jDKqk6RaJ5
igSbD5GIZ5islRJgVT18jWZPHVyaZKKo9LVxO7xQjowi0oVMWMLQuyXQqtone5ox
QyBnI4Aiuou57RfTB+/8pNBtZmbDJZ/AKpAyjMDxGO1DzY10pk1DgqGj7c0DmCtH
HTAQvbgSRoOGj1+cYEDKOSOeXLGrZrbBec2HTfVksynLNhyXWC5Vh6FwqtZXFMcK
fyxnojR2AQj7uDY+GOEvtTtsEtAsLKuYgtn7jQc1ZoMnwMQk1ATYWvQ1bMnWuWeG
k1A9VSGZTTGMisrRHIQbds0RVG5AqoyU6/G+9caDFQ5plJ8chGNQbi92VBS4ucWe
AZy1SPy46ESrMNSXG4cx
=N2nW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.