Wireless Card Vulnerabilities
This information comes from SANS, dated November 13, 2006:
Windows laptops with wireless cards that use Broadcom device drivers (Broadcom chips are used in machines from HP, Dell, Gateway, and eMachines) are directly vulnerable to the attack that has gotten so much press on Macintosh wireless. You are vulnerable if your wireless card is turned on, even if you are not connected to a wireless access point.
Affected: Broadcom BCMWL5.SYS Driver version 3.50.21.10 and possibly prior
Description: The Broadcom BCWML5.SYS device driver, used to control Broadcom wireless cards, contains a buffer overflow vulnerability. By sending an overly-long SSID in a probe response, an attacker could exploit this buffer overflow and take complete control of the vulnerable system. No authentication is required, and attackers need only be within wireless range of the vulnerable system. This driver is primarily designed for Microsoft Windows systems, but it is believed to be compatible with the "NdisWrapper" cross-platform driver framework, making it possible to run this driver under Linux on the Intel platform.
This vulnerability was discovered as part of a project to discover bugs in various operating systems' kernels. A working exploit is available for this vulnerability. This vulnerability is similar to one discovered for Mac OS X and documented in an earlier issue of @RISK.
Status: Some vendors have supplied patches for this vulnerability for their wireless cards.
References:
Month of Kernel Bugs Security Advisory
http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
Broadcom Wireless Home Page
http://www.broadcom.com/products/Wireless-LAN
Wikipedia Entry on Device Drivers
http://en.wikipedia.org/wiki/Device_Driver
NdisWrapper Home Page
http://ndiswrapper.sourceforge.net/
Previous @RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=5&i=31#vulnerabilities1
New, more secure drivers are expected, so be aware and watch for updates.
