-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2013-02 * Released on: 5 April 2013 * Affected product: Broadcom nas daemon on Linksys WRT54GL (v 4.30.16) * Impact: information disclosure / denial of service * Origin: specially crafted EAP requests * CVSS Base Score: 6.8 Impact Subscore: 7.8 Exploitability Subscore: 6.5 CVSS Vector: (AV:A/AC:L/Au:N/C:P/I:N/A:C) * Credit: Timo Warns (PRESENSE Technologies GmbH) Summary - ------- The Broadcom network authentication server (nas) used in the Linksys WRT54GL wireless router suffers from a buffer over-read vulnerability allowing to disclose sensitive information or to crash the server without requiring authentication. The vulnerability may also affect other devices and alternative firmwares that also use the nas daemon. The Linksys WRT54GL uses the Broadcom nas to authenticate wireless clients. If an attacker responds to an EAP Identity Request from the device with an EAP Identity Response, whose Message Length value is larger than the actual EAP packet, nas over-reads the buffer containing the response. The nas either crashes or sends out a Radius message containing data from memory beyond the EAP response buffer. Solution - -------- No patch is currently available. References - ---------- When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2013-02.txt Contact - -------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJRZqenAAoJEI9qFXJ0Ecg6nBsH/jtmlXKzwAUzftA7tb0EyrWa Uvl7cBoi9+uZ+sw2KeIYWD8zx0VMQzgn48Zu5T8A9hDUYvYh9mzVhDQ3hVipKdqw ISbmYAHwg4syw+QW7Pc/zJv+tu9z1CkOa4tsYDXwCAOgMWHkmiRHvIINyHGT5127 Lzlji6ITbTqdtEh/CHeY8s2tFfCVldccu9Tj9fdLJhjybUXsTQg+wz8o41eBM5hp 7iSKEpgDMw8m0EyBnvizRKvtd0B2GHrxX6Zk9ScX+ydsdPsQe9RdC5zgbX1P/Vw4 3gmNE2FIhXwVY/Eg2gIgTQc0hRD0tefTca7HpDHhkgkKPF/5X4MCiyqt2BlIsvY= =3hc9 -----END PGP SIGNATURE-----