Broadcom WiFi chipset drivers had been observed to contain vulnerabilities impacting more than one running systems and allowing potential attackers to remotely execute arbitrary code and to trigger denial-of-carrier according to a DHS/CISA alert and a CERT/CC vulnerability notice.
Quarkslab’s intern Hugues Anguelkov changed into the only who said 5 vulnerabilities he found in the “Broadcom wl driver and the open-source brcmfmac driving force for Broadcom WiFi chipsets” at the same time as reversing engineering and fuzzing Broadcom WiFi chips firmware.
As he observed, “The Broadcom wl driver is susceptible to heap buffer overflows, and the open-supply brcmfmac motive force is vulnerable to a body validation pass and a heap buffer overflow.”
The Common Weakness Enumeration database describes heap buffer overflows in the CWE-122 entry, declaring that they can cause device crashes or the impacted software going into an infinite loop, whilst additionally allowing attackers “to execute arbitrary code, that is commonly outdoor the scope of a application’s implicit security coverage” and bypassing security offerings.
To underline the seriousness of the flaws he located, Anguelkov says in his evaluation:
You can discover these chips almost anywhere from smartphones to laptops, smart-TVs and IoT devices. You possibly use one without knowing it, for instance if you have a Dell computer, you may be using a bcm43224 or a bcm4352 card. It is likewise likely you use a Broadcom WiFi chip when you have an iPhone, a Mac e book, a Samsumg telephone or a Huawei telephone, and so forth. Since those chips are so tremendous they represent a high fee goal to attackers and any vulnerability located in them should be considered to pose excessive danger.
As the CERT/CC vulnerability notice written via Trent Novelly explains, potential faraway and unauthenticated attackers ought to take advantage of the Broadcom WiFi chipset driver vulnerabilities by means of sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable machines. However, as in addition particular by means of Novelly, “More usually, those vulnerabilities will result in denial-of-carrier attacks.”
This is showed by Anguelkov who stated that “Two of those vulnerabilities are present each in the Linux kernel and firmware of affected Broadcom chips. The maximum commonplace exploitation situation results in a far off denial of provider. Although it is technically tough to reap, exploitation for far off code execution must now not be discarded as the worst case situation.”
CERT/CC vulnerability observe describes the four brcmfmac and Broadcom wl drivers vulnerabilities (tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503) as follows:
Vulnerabilities within the open source brcmfmac driving force:
• CVE-2019-9503: If the brcmfmac driver receives a firmware occasion body from a faraway source, the is_wlc_event_frame feature will motive this frame to be discarded and no longer be processed. If the driving force gets the firmware event frame from the host, the best handler is called. This body validation may be bypassed if the bus used is USB (as an example by a wifi dongle.). This can allow firmware occasion frames from a far flung source to be processed.
• CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious occasion body may be built to trigger an heap buffer overflow within the brcmf_wowl_nd_results function. This vulnerability can be exploited by way of compromised chipsets to compromise the host, or when utilized in aggregate with the above body validation skip, may be used remotely.
NOTE: The brcmfmac motive force simplest works with Broadcom FullMAC chipsets.
Vulnerabilities in the Broadcom wl motive force:
Two heap buffer overflows may be induced in the consumer when parsing an EAPOL message 3 all through the 4-manner handshake from the access factor (AP).
• CVE-2019-9501: By supplying a supplier information element with a data period large than 32 bytes, a heap buffer overflow is prompted in wlc_wpa_sup_eapol.
• CVE-2019-9502: If the seller data element information period is larger than 164 bytes, a heap buffer overflow is brought about in wlc_wpa_plumb_gtk.
NOTE: When the wl motive force is used with SoftMAC chipsets, these vulnerabilities are induced inside the host’s kernel. When a FullMAC chipset is getting used, those vulnerabilities would be brought on in the chipset’s firmware.
A listing of all 166 providers which use doubtlessly inclined Broadcom WiFi chipsets inside their devices is to be had at the give up of the CERT/CC vulnerability word.
According to the distinct disclosure timeline posted via Anguelkov, Broadcom patched the two vulnerabilities found inside the open supply brcmfmac Linux kernel wi-fi motive force for FullMAC playing cards on February 14, 2019.
Apple additionally patched the CVE-2019-8564 vulnerability as part of a protection update issued for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3, including an outline of the problem to the patch changelog on April 15, in the future before the researcher disclosed the vulnerabilities.
The best different vendor besides Apple and Broadcom which furnished information approximately the vulnerability reputation of their gadgets is Extreme Networks, saying in an April 9 announcement that “For VU#166939, WiNG wireless products from Extreme Networks, Inc. Are not affected because we do now not use the affected chipsets or drivers.”