Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491376 (CVE-2013-4579) - Kernel : >ath9k_htc improperly updates MAC address (CVE-2013-4579)
Summary: Kernel : >ath9k_htc improperly updates MAC address (CVE-2013-4579)
Status: RESOLVED FIXED
Alias: CVE-2013-4579
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-15 20:30 UTC by Agostino Sarubbo
Modified: 2022-03-25 15:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-15 20:30:06 UTC
From ${URL} :

This concerns a bug in the ath9k_htc driver: When a user changes/spoofs
their MAC address, an attacker can retrieve the original MAC address, which
is a potential privacy risk. Debian bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729573

 

Background of the bug:
http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html

 

The cause of the bug is in ath9k_htc_set_bssid_mask [1]. Here the MAC
address of one of the virtual interfaces should be picked as the new main
MAC address of the device. However the main MAC address (stored in
common->macaddr) is never updated. The ath9k does implement this properly
and sets the main MAC address to the MAC address of one of the virtual
interfaces (by first writing it to iter_data->hw_macaddr and then copying it
over to common->macaddr [2]). Note that ath_hw_setbssidmask updates the main
MAC address register for both the ath9k and ath9k_htc drivers [3].

[1]
<http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv
_main.c?a=microblaze#L145>
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/htc_drv_
main.c?a=microblaze#L145

[2]
<http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c#
L831>
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/ath9k/main.c#L
831

[3]
<http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118>
http://lxr.free-electrons.com/source/drivers/net/wireless/ath/hw.c#L118
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:40:44 UTC
CVE-2013-4579 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4579):
  The ath9k_htc_set_bssid_mask function in
  drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through
  3.12 uses a BSSID masking approach to determine the set of MAC addresses on
  which a Wi-Fi device is listening, which allows remote attackers to discover
  the original MAC address after spoofing by sending a series of packets to
  MAC addresses with certain bit manipulations.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 15:49:21 UTC
In 3.12.7 as 657eb17d87852c42b55c4b06d5425baa08b2ddb3.