Windows 10 News and info | Forum
May 30, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks  (Read 115 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31433

I Do Windows

WWW Email
« on: April 18, 2019, 11:29:10 AM »

Broadcom WiFi chipset drivers have been found to contain vulnerabilities impacting multiple operating systems and allowing potential attackers to remotely execute arbitrary code and to trigger denial-of-service according to a DHS/CISA alert and a CERT/CC vulnerability note.

Quarkslab's intern Hugues Anguelkov was the one who reported five vulnerabilities he found in the "Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets" while reversing engineering and fuzzing Broadcom WiFi chips firmware.

As he discovered, "The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow."

The Common Weakness Enumeration database describes heap buffer overflows in the CWE-122 entry, stating that they can lead to system crashes or the impacted software going into an infinite loop, while also allowing attackers "to execute arbitrary code, which is usually outside the scope of a program's implicit security policy" and bypassing security services.

To underline the seriousness of the flaws he found, Anguelkov says in his analysis:

You can find these chips almost everywhere from smartphones to laptops, smart-TVs, and IoT devices. You probably use one without knowing it, for example, if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc. Since these chips are so widespread they constitute a high-value target to attackers and any vulnerability found in them should be considered to pose a high risk.

As the CERT/CC vulnerability note written by Trent Novelly explains, potential remote and unauthenticated attackers could exploit the Broadcom WiFi chipset driver vulnerabilities by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable machines. However, as further detailed by Novelly, "More typically, these vulnerabilities will result in denial-of-service attacks."

This is confirmed by Anguelkov who said that "Two of those vulnerabilities are present both in the Linux kernel and firmware of affected Broadcom chips. The most common exploitation scenario leads to a remote denial of service. Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario."

CERT/CC vulnerability note describes the four brcmfmac and Broadcom wl drivers vulnerabilities (tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503) as follows:

Vulnerabilities in the open source brcmfmac driver:

CVE-2019-9503: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle.). This can allow firmware event frames from a remote source to be processed.

CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

NOTE: The brcmfmac driver only works with Broadcom FullMAC chipsets.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).

CVE-2019-9501: By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.

CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.

NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset's firmware.

A list of all 166 vendors which use potentially vulnerable Broadcom WiFi chipsets within their devices is available at the end of the CERT/CC vulnerability note.

According to the detailed disclosure timeline published by Anguelkov, Broadcom patched the two vulnerabilities discovered in the open source brcmfmac Linux kernel wireless driver for FullMAC cards on February 14, 2019.

Apple also patched the CVE-2019-8564 vulnerability as part of a security update issued for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3, adding a description of the issue to the patch changelog on April 15, one day before the researcher disclosed the vulnerabilities.

The only other vendor besides Apple and Broadcom which provided information about the vulnerability status of their devices is Extreme Networks, saying in an April 9 statement that "For VU#166939, WiNG wireless products from Extreme Networks, Inc. are not affected because we do not use the affected chipsets or drivers."

« Last Edit: April 18, 2019, 02:42:44 PM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page November 28, 2019, 05:03:19 PM