SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   AirPort Vendors:   Apple Computer
Apple AirPort Wireless Driver Has Buffer Overflows That Let Remote Users on the Wireless Network Execute Arbitrary Code
SecurityTracker Alert ID:  1016903
SecurityTracker URL:  http://securitytracker.com/id/1016903
CVE Reference:   CVE-2006-3507, CVE-2006-3508, CVE-2006-3509   (Links to External Site)
Date:  Sep 21 2006
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.3.9, 10.4.7
Description:   Several vulnerabilities were reported in Apple AirPort. A remote user on the wireless network can execute arbitrary code on the target system or cause denial of service conditions.

A remote user on the wireless network can send specially crafted frames to trigger a stack overflow in the wireless driver and execute arbitrary code on the target system [CVE-2006-3507]. The code will run with system privileges. The Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini systems equipped with wireless capabilities are affected. The Intel-based Mac mini, MacBook, and MacBook Pro systems are not affected.

A remote user on the wireless network can send specially crafted frames to trigger a heap overflow in the wireless driver and execute arbitrary code on the target system with system privileges or cause the system to crash [CVE-2006-3508]. The vulnerability resides in the processing of scan cache updates. The Intel-based Mac mini, MacBook, and MacBook Pro systems equipped with wireless capabilities are affected. The Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini systems are not affected.

A remote user on the wireless network can send specially crafted frames to trigger an integer overflow in the wireless driver's API for 3rd party applications and execute arbitrary code on the target system or cause the system to crash [CVE-2006-3509]. The specific impact depends on the application that uses the API. The Intel-based Mac mini, MacBook, and MacBook Pro systems equipped with wireless capabilities are affected. The Power Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac mini systems are not affected.

Impact:   A remote user on the wireless network can execute arbitrary code on the target system.

A remote user on the wireless network can cause denial of service conditions.

Solution:   Apple has issued a fix as part of AirPort Update 2006-001 and Security Update 2006-005, available from the Software Update pane in System Preferences, or Apple's
Software Downloads web site at:

http://www.apple.com/support/downloads/

Only one of the updates is needed (either AirPort Update 2006-001 or Security Update 2006-005) and Software Update will present the update that applies to your system configuration.

For Mac OS X v10.4.7 Build 8J2135 or 8J2135a
The download file is named: "AirPortUpdate2006001.dmg"
Its SHA-1 digest is: 94855a341c05344dab4f965c595c7149352d2617

For Mac OS X v10.4.7 Build 8J135
For Mac OS X Server v10.4.7 Build 8J135
The download file is named: "SecUpd2006-005Ti.dmg"
Its SHA-1 digest is: 32877c48193aa070c6e379bdec580b8d4a5c3ccc

For Mac OS X v10.4.7 Build 8K1079, 8K1106, 8K1123, or 8K1124
For Mac OS X Server v10.4.7 Build 8K1079
The download file is named: "SecUpd2006-005Univ.dmg"
Its SHA-1 digest is: fc1de2d328f41b74fa43cdc72af579618a05cc43

For Mac OS X v10.3.9 or Mac OS X Server v10.3.9
The download file is named: "SecUpd2006-005Pan.dmg"
Its SHA-1 digest is: e382c31989061772a7fae7bdab55efdebfdc8e1b

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9 systems, if the
Software Update utility does not present Security Update 2006-005,
the following two updates need to be installed:

AirPort 4.2
http://www.apple.com/support/downloads/airport42formacosx1033.html

AirPort Extreme Driver Update 2005-001
http://www.apple.com/support/downloads/
airportextremedriverupdate2005001.html

Vendor URL:  docs.info.apple.com/article.html?artnum=61798 (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 21 Sep 2006 13:07:51 -0700
Subject:  APPLE-SA-2006-09-21 AirPort Update 2006-001 and Security Update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2006-09-21 AirPort Update 2006-001 and
Security Update 2006-005

The security fixes described below are available in AirPort Update
2006-001 and Security Update 2006-005.  AirPort Update 2006-001
contains an additional non-security fix to address a reliability
issue that occurs on a limited number of MacBook Pro systems.

AirPort
CVE-ID:  CVE-2006-3507
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.7, Mac OS X Server v10.4.7
Impact:  Attackers on the wireless network may cause arbitrary
code execution
Description:  Two separate stack buffer overflows exist in the
AirPort wireless driver's handling of malformed frames. An
attacker in local proximity may be able to trigger an overflow
by injecting a maliciously-crafted frame into a wireless
network. When the AirPort card is on, this could lead to arbitrary
code execution with system privileges. This issue affects Power
Mac, PowerBook, iMac, Mac Pro, Xserve, and PowerPC-based Mac
mini computers equipped with wireless. Intel-based Mac mini,
MacBook, and MacBook Pro computers are not affected. There is no
known exploit for this issue. This update addresses the issues
by performing additional validation of wireless frames.

AirPort
CVE-ID:  CVE-2006-3508
Available for:  Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact:  Attackers on the wireless network may cause system
crashes, privilege elevation, or arbitrary code execution
Description:  A heap buffer overflow exists in the AirPort
wireless driver's handling of scan cache updates. An attacker in
local proximity may be able to trigger the overflow by injecting
a maliciously-crafted frame into the wireless network. This
could lead to a system crash, privilege elevation, or arbitrary
code execution with system privileges. This issue affects
Intel-based Mac mini, MacBook, and MacBook Pro computers
equipped with wireless. Power Mac, PowerBook, iMac, Mac Pro,
Xserve, and PowerPC-based Mac mini computers are not affected.
This update addresses the issue by performing additional
validation of wireless frames. There is no known exploit for
this issue. This issue does not affect systems prior to Mac OS X
v10.4.

AirPort
CVE-ID:  CVE-2006-3509
Available for:  Mac OS X v10.4.7, Mac OS X Server v10.4.7
Impact:  Depending upon third-party wireless software in use,
attackers on the wireless network may cause crashes or arbitrary
code execution
Description:  An integer overflow exists in the AirPort wireless
driver's API for third-party wireless software. This could lead
to a buffer overflow in such applications dependent upon API
usage. No applications are known to be affected at this time. If
an application is affected, then an attacker in local proximity
may be able to trigger an overflow by injecting a
maliciously-crafted frame into the wireless network. This may
cause crashes or lead to arbitrary code execution with the
privileges of the user running the application. This issue
affects Intel-based Mac mini, MacBook, and MacBook Pro computers
equipped with wireless. Power Mac, PowerBook, iMac, Mac Pro,
Xserve, and PowerPC-based Mac mini computers are not affected.
This update addresses the issues by performing additional
validation of wireless frames. There is no known exploit for
this issue. This issue does not affect systems prior to Mac OS X
v10.4.

AirPort Update 2006-001 and Security Update 2006-005 may be obtained
from the Software Update pane in System Preferences, or Apple's
Software Downloads web site:
http://www.apple.com/support/downloads/

The Software Update utility will present the update that applies to
your system configuration. Only one is needed, either AirPort Update
2006-001 or Security Update 2006-005.

For Mac OS X v10.4.7 Build 8J2135 or 8J2135a
The download file is named:  "AirPortUpdate2006001.dmg"
Its SHA-1 digest is:  94855a341c05344dab4f965c595c7149352d2617

For Mac OS X v10.4.7 Build 8J135
For Mac OS X Server v10.4.7 Build 8J135
The download file is named:  "SecUpd2006-005Ti.dmg"
Its SHA-1 digest is:  32877c48193aa070c6e379bdec580b8d4a5c3ccc

For Mac OS X v10.4.7 Build 8K1079, 8K1106, 8K1123, or 8K1124
For Mac OS X Server v10.4.7 Build 8K1079
The download file is named:  "SecUpd2006-005Univ.dmg"
Its SHA-1 digest is:  fc1de2d328f41b74fa43cdc72af579618a05cc43

For Mac OS X v10.3.9 or Mac OS X Server v10.3.9
The download file is named:  "SecUpd2006-005Pan.dmg"
Its SHA-1 digest is:  e382c31989061772a7fae7bdab55efdebfdc8e1b

For Mac OS X v10.3.9 and Mac OS X Server v10.3.9 systems, if the
Software Update utility does not present Security Update 2006-005,
the following two updates need to be installed:

AirPort 4.2
http://www.apple.com/support/downloads/airport42formacosx1033.html

AirPort Extreme Driver Update 2005-001
http://www.apple.com/support/downloads/
airportextremedriverupdate2005001.html

Information will also be posted to the Apple Security Updates
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRRLo84mzP5/bU5rtAQiu4wf/WQvis/Vi9dO/4EUjSMpJI/tkCRzLKgKQ
ahMxAL+gni4ysbSNizQ6GhDJbZqVMMglW8kwcNdhPrcitIKfrNzCFjjmDmqU05t8
8r6ZkZeaZdG4y9F8XalSM1wZ2mmGvahDYmROug34e+4CahybJurWalFYYRwvnM09
uRDm7IYu/MItMTs/gi2BSJMIBQZPjyWCaj8FkDazSPOZ26W2Z5lchVy9qgQcV7Cp
+rWDN96ADYUxRwWRNL8bS/OZGmraxrl2MUFUnATTAgFtJN2FMTKAnNMBfxhpCwT9
2sSK5EF+ui8zTEjtDbU+11d+jzqtV0CRbWvsR1wCbXJpFS+5VVW2Xg==
=L77K
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC