{"vuid":"VU#209376","idnumber":"209376","name":"Broadcom wireless driver fails to properly process 802.11 probe response frames","keywords":["Broadcom","BCMWL5.SYS","stack based buffer overflow","arbitrary code execution","wireless device driver","802.11 probe responses","SSID","information element"],"overview":"A buffer overflow vulnerability exists in the Broadcom BCMWL5.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition.","clean_desc":"The BCMWL5.SYS driver is a wireless (802.11) device driver produced by Broadcom. See the systems affected section of this document for a list of vendors that ship this driver. In addition to laptop and desktop  systems, this driver may also be used in access points, media centers, and other network appliances. A buffer overflow vulnerability exists in the BCMWL5.SYS driver. An attacker may be able to trigger the overflow by sending a malformed SSID probe response frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted, using wireless encryption (WEP/WPA) does not mitigate this vulnerability. Note that Linux or Unix systems that use NDISWrapper or similar technologies to load the BCMWL5.SYS driver may also be vulnerable.","impact":"A remote, unauthenticated attacker may be able to execute arbitrary code, or cause a denial-of-service condition on a vulnerable system.","resolution":"Upgrade\nSome manufacturers and OEMs have released an upgraded driver to address this issue. See the Systems Affected section of this document for more information.","workarounds":"Disable wireless adapters Disabling wireless adapters may reduce the chances of this vulnerability being exploited. Use wired networking methods until updates can be applied Using wired networks, such as Ethernet adapters or other extended LAN technologies, until vulnerable wireless drivers can be updated will prevent this vulnerability from being exploited.","sysaffected":"","thanks":"This issue was publicly reported by Johnny Cache on \nThe Month of Kernel Bugs Website","author":"This document was written by Ryan Giobbi.","public":["http://projects.info-pull.com/mokb/MOKB-11-11-2006.html","http://secunia.com/advisories/22831/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-11-11T14:41:16Z","publicdate":"2006-11-11T00:00:00Z","datefirstpublished":"2006-11-14T17:25:11Z","dateupdated":"2007-01-17T13:56:36Z","revision":46,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"4","cam_widelyknown":"18","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"14","cam_impact":"5","cam_easeofexploitation":"3","cam_attackeraccessrequired":"18","cam_scorecurrent":"1.630125","cam_scorecurrentwidelyknown":"1.771875","cam_scorecurrentwidelyknownexploited":"3.189375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":1.630125,"vulnote":null}