VAR-200809-0311
Vulnerability from variot - Updated: 2025-04-10 22:07The Marvell driver for the Netgear WN802T Wi-Fi access point with firmware 1.3.16 on the Marvell 88W8361P-BEM1 chipset does not properly parse EAPoL-Key packets, which allows remote authenticated users to cause a denial of service (device reboot or hang) or possibly execute arbitrary code via a malformed EAPoL-Key packet with a crafted "advertised length.". The NETGEAR WN802T wireless access point is prone to a denial-of-service vulnerability because it fails to adequately handle long key lengths in EAPoL packets. Successful exploits will deny service to legitimate users. Given the nature of this issue, remote code execution may be possible, but this has not been confirmed. NETGEAR WN802T firmware 1.3.16 with the MARVELL 88W8361P-BEM1 chipset is vulnerable. Other devices running this Marvell chipset may also be affected. This packet is used for unicast/multicast key derivation (which are called 4-way handshake and group key handshake) of any secure wireless connection (WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP). This can be achieved only after a successful 802.11 authentication (in "Open" mode according to the configuration of the wireless access point) and a successful 802.11 association with appropriate security parameters (e.g. WPA w/ TKIP unicast, TKIP multicast) which depends on the configuration of the wireless access point. This security vulnerability was reported to Netgear, updated firmwares should be available on their web site. Any other wireless device relying on this vulnerable wireless driver is likely to be vulnerable.
Credits:
- This vulnerability was discovered by Laurent Butti and Julien Tinnes from France Telecom / Orange .
1) An error exists in the processing of SSID information included in association requests. This can be exploited to reboot or hang-up the device by sending a specially crafted association request.
2) An error in the processing of EAPoL-Key packets can be exploited to reboot or hang-up a device by sending a specially crafted EAPoL-Key packet containing an overly large "length" value.
The vulnerabilities are reported in firmware version 1.3.16. Other versions may also be affected.
SOLUTION: Use the device only in a trusted network environment.
PROVIDED AND/OR DISCOVERED BY: Laurent Butti and Julien Tinnes, France Telecom / Orange
ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2008-09/0048.html http://archives.neohapsis.com/archives/bugtraq/2008-09/0049.html
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "wn802t",
"scope": "eq",
"trust": 2.0,
"vendor": "netgear",
"version": "1.3.16"
},
{
"_id": null,
"model": "88w8361w-bem1",
"scope": "eq",
"trust": 1.1,
"vendor": "marvell",
"version": "*"
},
{
"_id": null,
"model": "88w8361w-bem1",
"scope": null,
"trust": 0.8,
"vendor": "marvell",
"version": null
},
{
"_id": null,
"model": "wn802t",
"scope": "eq",
"trust": 0.8,
"vendor": "net gear",
"version": "1.3.16"
},
{
"_id": null,
"model": "semiconductor 88w8361p-bem1 chipset",
"scope": "eq",
"trust": 0.3,
"vendor": "marvell",
"version": "0"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2008-1144"
},
{
"db": "BID",
"id": "31013"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
},
{
"db": "CNNVD",
"id": "CNNVD-200809-084"
},
{
"db": "NVD",
"id": "CVE-2008-1144"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:marvell:88w8361w-bem1",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:netgear:wn802t",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
}
]
},
"credits": {
"_id": null,
"data": "Laurent Butti\u203b laurent.butti@orange-ftgroup.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200809-084"
}
],
"trust": 0.6
},
"cve": "CVE-2008-1144",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 6.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "CVE-2008-1144",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 6.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "VHN-31269",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2008-1144",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2008-1144",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-200809-084",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-31269",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2008-1144",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31269"
},
{
"db": "VULMON",
"id": "CVE-2008-1144"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
},
{
"db": "CNNVD",
"id": "CNNVD-200809-084"
},
{
"db": "NVD",
"id": "CVE-2008-1144"
}
]
},
"description": {
"_id": null,
"data": "The Marvell driver for the Netgear WN802T Wi-Fi access point with firmware 1.3.16 on the Marvell 88W8361P-BEM1 chipset does not properly parse EAPoL-Key packets, which allows remote authenticated users to cause a denial of service (device reboot or hang) or possibly execute arbitrary code via a malformed EAPoL-Key packet with a crafted \"advertised length.\". The NETGEAR WN802T wireless access point is prone to a denial-of-service vulnerability because it fails to adequately handle long key lengths in EAPoL packets. \nSuccessful exploits will deny service to legitimate users. Given the nature of this issue, remote code execution may be possible, but this has not been confirmed. \nNETGEAR WN802T firmware 1.3.16 with the MARVELL 88W8361P-BEM1 chipset is vulnerable. Other devices running this Marvell chipset may also be affected. This packet is used for unicast/multicast key derivation (which\nare called 4-way handshake and group key handshake) of any secure\nwireless connection (WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP). This can be achieved only after a successful\n802.11 authentication (in \"Open\" mode according to the configuration of\nthe wireless access point) and a successful 802.11 association with\nappropriate security parameters (e.g. WPA w/ TKIP unicast, TKIP\nmulticast) which depends on the configuration of the wireless access point. \nThis security vulnerability was reported to Netgear, updated firmwares\nshould be available on their web site. Any other wireless device relying\non this vulnerable wireless driver is likely to be vulnerable. \n\nCredits:\n--------\n* This vulnerability was discovered by Laurent Butti and Julien Tinnes\nfrom France Telecom / Orange\n. \n\n1) An error exists in the processing of SSID information included in\nassociation requests. This can be exploited to reboot or hang-up the\ndevice by sending a specially crafted association request. \n\n2) An error in the processing of EAPoL-Key packets can be exploited\nto reboot or hang-up a device by sending a specially crafted\nEAPoL-Key packet containing an overly large \"length\" value. \n\nThe vulnerabilities are reported in firmware version 1.3.16. Other\nversions may also be affected. \n\nSOLUTION:\nUse the device only in a trusted network environment. \n\nPROVIDED AND/OR DISCOVERED BY:\nLaurent Butti and Julien Tinnes, France Telecom / Orange\n\nORIGINAL ADVISORY:\nhttp://archives.neohapsis.com/archives/bugtraq/2008-09/0048.html\nhttp://archives.neohapsis.com/archives/bugtraq/2008-09/0049.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-1144"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
},
{
"db": "BID",
"id": "31013"
},
{
"db": "VULHUB",
"id": "VHN-31269"
},
{
"db": "VULMON",
"id": "CVE-2008-1144"
},
{
"db": "PACKETSTORM",
"id": "69626"
},
{
"db": "PACKETSTORM",
"id": "69658"
}
],
"trust": 2.25
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2008-1144",
"trust": 3.1
},
{
"db": "BID",
"id": "31013",
"trust": 2.1
},
{
"db": "SECUNIA",
"id": "31770",
"trust": 1.9
},
{
"db": "SREASON",
"id": "4227",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185",
"trust": 0.8
},
{
"db": "BUGTRAQ",
"id": "20080904 MARVELL DRIVER EAPOL-KEY LENGTH OVERFLOW",
"trust": 0.6
},
{
"db": "XF",
"id": "44919",
"trust": 0.6
},
{
"db": "XF",
"id": "802",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200809-084",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "69626",
"trust": 0.2
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-31269",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2008-1144",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "69658",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULHUB",
"id": "VHN-31269"
},
{
"db": "VULMON",
"id": "CVE-2008-1144"
},
{
"db": "BID",
"id": "31013"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
},
{
"db": "PACKETSTORM",
"id": "69626"
},
{
"db": "PACKETSTORM",
"id": "69658"
},
{
"db": "CNNVD",
"id": "CNNVD-200809-084"
},
{
"db": "NVD",
"id": "CVE-2008-1144"
}
]
},
"id": "VAR-200809-0311",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULHUB",
"id": "VHN-31269"
}
],
"trust": 0.02
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"network device"
],
"sub_category": "Wi-Fi access point",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-04-10T22:07:58.683000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.marvell.com/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.netgear.com/home/"
},
{
"title": "wifuzzit",
"trust": 0.1,
"url": "https://github.com/0xd012/wifuzzit "
},
{
"title": "wifuzzit",
"trust": 0.1,
"url": "https://github.com/flowerhack/wifuzzit "
},
{
"title": "wifuzzit",
"trust": 0.1,
"url": "https://github.com/84KaliPleXon3/wifuzzit "
},
{
"title": "wifuzzit",
"trust": 0.1,
"url": "https://github.com/PleXone2019/wifuzzit "
},
{
"title": "wifuzzit",
"trust": 0.1,
"url": "https://github.com/wi-fi-analyzer/wifuzzit "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2008-1144"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-20",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31269"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
},
{
"db": "NVD",
"id": "CVE-2008-1144"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.9,
"url": "http://www.securityfocus.com/bid/31013"
},
{
"trust": 1.8,
"url": "http://secunia.com/advisories/31770"
},
{
"trust": 1.8,
"url": "http://securityreason.com/securityalert/4227"
},
{
"trust": 1.2,
"url": "http://www.securityfocus.com/archive/1/495982/100/0/threaded"
},
{
"trust": 1.2,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44919"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1144"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-1144"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/44919"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/495982/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.marvell.com/"
},
{
"trust": 0.3,
"url": "http://www.netgear.com"
},
{
"trust": 0.3,
"url": "http://kbserver.netgear.com/products/wn802t.asp"
},
{
"trust": 0.3,
"url": "/archive/1/495982"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/20.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/0xd012/wifuzzit"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-1144"
},
{
"trust": 0.1,
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-09/0049.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/19749/"
},
{
"trust": 0.1,
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-09/0048.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/corporate/jobs/open_positions/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/31770/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULHUB",
"id": "VHN-31269"
},
{
"db": "VULMON",
"id": "CVE-2008-1144"
},
{
"db": "BID",
"id": "31013"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
},
{
"db": "PACKETSTORM",
"id": "69626"
},
{
"db": "PACKETSTORM",
"id": "69658"
},
{
"db": "CNNVD",
"id": "CNNVD-200809-084"
},
{
"db": "NVD",
"id": "CVE-2008-1144"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "OTHER",
"id": null,
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-31269",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2008-1144",
"ident": null
},
{
"db": "BID",
"id": "31013",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2008-004185",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "69626",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "69658",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-200809-084",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2008-1144",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2008-09-05T00:00:00",
"db": "VULHUB",
"id": "VHN-31269",
"ident": null
},
{
"date": "2008-09-05T00:00:00",
"db": "VULMON",
"id": "CVE-2008-1144",
"ident": null
},
{
"date": "2008-09-04T00:00:00",
"db": "BID",
"id": "31013",
"ident": null
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-004185",
"ident": null
},
{
"date": "2008-09-04T17:17:26",
"db": "PACKETSTORM",
"id": "69626",
"ident": null
},
{
"date": "2008-09-05T15:36:36",
"db": "PACKETSTORM",
"id": "69658",
"ident": null
},
{
"date": "2008-09-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200809-084",
"ident": null
},
{
"date": "2008-09-05T16:08:00",
"db": "NVD",
"id": "CVE-2008-1144",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2018-10-11T00:00:00",
"db": "VULHUB",
"id": "VHN-31269",
"ident": null
},
{
"date": "2018-10-11T00:00:00",
"db": "VULMON",
"id": "CVE-2008-1144",
"ident": null
},
{
"date": "2008-09-04T19:34:00",
"db": "BID",
"id": "31013",
"ident": null
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-004185",
"ident": null
},
{
"date": "2009-01-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200809-084",
"ident": null
},
{
"date": "2025-04-09T00:30:58.490000",
"db": "NVD",
"id": "CVE-2008-1144",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200809-084"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "Netgear WN802T Wi-Fi Access point Marvell Service disruption in drivers (DoS) Vulnerabilities",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-004185"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "input validation",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200809-084"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.