From ${URL} : This concerns a bug in the ath9k_htc driver: When a user changes/spoofs their MAC address, an attacker can retrieve the original MAC address, which is a potential privacy risk. Debian bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729573 Background of the bug: http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html The cause of the bug is in ath9k_htc_set_bssid_mask [1]. Here the MAC address of one of the virtual interfaces should be picked as the new main MAC address of the device. However the main MAC address (stored in common->macaddr) is never updated. The ath9k does implement this properly and sets the main MAC address to the MAC address of one of the virtual interfaces (by first writing it to iter_data->hw_macaddr and then copying it over to common->macaddr [2]). Note that ath_hw_setbssidmask updates the main MAC address register for both the ath9k and ath9k_htc drivers [3]. [1] <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv _main.c?a=microblaze#L145> http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv_ main.c?a=microblaze#L145 [2] <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c# L831> http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c#L 831 [3] <http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118> http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118
CVE-2013-4579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4579): The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations.
In 3.12.7 as 657eb17d87852c42b55c4b06d5425baa08b2ddb3.