{"vuid":"VU#403152","idnumber":"403152","name":"NetGear wireless driver fails to properly process specially-crafted 802.11 management frames","keywords":["NetGear","WG311v1","heap overflow","arbitrary code execution","WG311ND5.SYS","overly long SSIDs","information element"],"overview":"A buffer overflow vulnerability exists in the Netgear WG311ND5.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition.","clean_desc":"The WG311ND5.SYS driver is a wireless (802.11g) device driver produced by Netgear that ships with the WG311v1 wireless adapter. A heap buffer overflow vulnerability has been reported in the WG311ND5.SYS driver. This overflow occurs because the driver does not properly process the SSID information element part of 802.11 management frames. An attacker within radio range may be able to trigger the overflow by sending a specially-crafted 802.11 management frame to a vulnerable system. Since 802.11b and 802.11g management frames are not encrypted or authenticated, using wireless encryption (WEP/WPA) does not mitigate this vulnerability. Note that Linux or Unix systems that use NDISWrapper or similar technologies to load the WG311ND5.SYS driver may also be vulnerable.","impact":"An attacker may be able to execute arbitrary code, or cause a denial-of-service condition.","resolution":"We are currently unaware of a practical solution to this problem.","workarounds":"Disable wireless adapters Disabling wireless adapters may reduce the chances of this vulnerability being exploited.","sysaffected":"","thanks":"This issue was reported by Laurent Butti, H D Moore and LMH on the \nMonth of Kernel Bugs\n website.","author":"This document was written by Ryan Giobbi.","public":["http://projects.info-pull.com/mokb/MOKB-22-11-2006.html","http://secunia.com/advisories/23051/","http://standards.ieee.org/getieee802/download/802.11-1999.pdf"],"cveids":["CVE-2006-6125"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-11-24T15:32:45Z","publicdate":"2006-11-22T00:00:00Z","datefirstpublished":"2006-11-27T13:58:56Z","dateupdated":"2006-11-27T13:59:07Z","revision":18,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"3","cam_impact":"6","cam_easeofexploitation":"4","cam_attackeraccessrequired":"16","cam_scorecurrent":"0.4968","cam_scorecurrentwidelyknown":"0.4968","cam_scorecurrentwidelyknownexploited":"0.9288","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.4968,"vulnote":null}