Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks
Broadcom WiFi chipset drivers had been determined to include vulnerabilities impacting a couple of running systems and allowing capability attackers to remotely execute arbitrary code and to cause denial-of-provider consistent with a DHS/CISA alert and a CERT/CC vulnerability notice.
Quarkslab’s intern Hugues Anguelkov changed into the one who pronounced five vulnerabilities he located in the “Broadcom wl motive force and the open-source brcmfmac driver for Broadcom WiFi chipsets” whilst reversing engineering and fuzzing Broadcom WiFi chips firmware.
As he discovered, “The Broadcom wl driving force is at risk of two heap buffer overflows, and the open-supply brcmfmac motive force is liable to a frame validation skip and a heap buffer overflow.”
The Common Weakness Enumeration database describes heap buffer overflows inside the CWE-122 access, pointing out that they can lead to system crashes or the impacted software going into an endless loop, whilst also permitting attackers “to execute arbitrary code, that is usually outside the scope of a software’s implicit protection coverage” and bypassing safety offerings.
To underline the seriousness of the failings he observed, Anguelkov says in his evaluation:
You can locate these chips nearly anywhere from smartphones to laptops, smart-TVs, and IoT gadgets. You possibly use one without understanding it, for example when you have a Dell pc, you’ll be the usage of a bcm43224 or a bcm4352 card. It is likewise probably you operate a Broadcom WiFi chip when you have an iPhone, a Mac e-book, a Samsung smartphone or a Huawei telephone, and so on. Since these chips are so giant they constitute an excessive price goal to attackers and any vulnerability discovered in them need to be considered to pose a high chance.
As the CERT/CC vulnerability word written by means of Trent Novelly explains, capacity far off and unauthenticated attackers may want to make the most the Broadcom WiFi chipset motive force vulnerabilities through sending maliciously-crafted WiFi packets to execute arbitrary code on prone machines. However, as further unique with the aid of Novelly, “More generally, those vulnerabilities will bring about denial-of-service assaults.”
This is confirmed by Anguelkov who said that “Two of these vulnerabilities are present each in the Linux kernel and firmware of affected Broadcom chips. The most commonplace exploitation state of affairs results in a faraway denial of service. Although it’s miles technically difficult to acquire, exploitation for far-flung code execution has to now not be discarded because of the worst case state of affairs.”
CERT/CC vulnerability be aware describes the four brcmfmac and Broadcom wl drivers vulnerabilities (tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503) as follows:
Vulnerabilities in the open source brcmfmac driving force:
• CVE-2019-9503: If the brcmfmac driving force receives a firmware occasion frame from a remote supply, the is_wlc_event_frame feature will motive this frame to be discarded and no longer be processed. If the motive force receives the firmware event body from the host, the best handler is called. This body validation may be bypassed if the bus used is USB (for example via a wifi dongle.). This can permit firmware occasion frames from a far-flung supply to be processed.
• CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious occasion body can be built to trigger a heap buffer overflow in the brcmf_wowl_nd_results feature. This vulnerability may be exploited by using compromised chipsets to compromise the host, or while used in mixture with the above frame validation bypass, can be used remotely.
NOTE: The brcmfmac driving force best works with Broadcom FullMAC chipsets.
Vulnerabilities in the Broadcom wl driving force:
Two heap buffer overflows may be caused by the patron when parsing an EAPOL message three during the 4-way handshake from the access point (AP).
• CVE-2019-9501: By imparting a seller statistics detail with an information period large than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
• CVE-2019-9502: If the vendor facts element statistics period is larger than 164 bytes, a heap buffer overflow is caused in wlc_wpa_plumb_gtk.
NOTE: When the wl driving force is used with SoftMAC chipsets, those vulnerabilities are triggered inside the host’s kernel. When a FullMAC chipset is being used, those vulnerabilities could be brought on inside the chipset’s firmware.
A list of all 166 vendors which use probably susceptible Broadcom WiFi chipsets within their devices is available at the give up of the CERT/CC vulnerability observe.
According to the distinct disclosure timeline published with the aid of Anguelkov, Broadcom patched the two vulnerabilities located inside the open source brcmfmac Linux kernel wi-fi driving force for FullMAC playing cards on February 14, 2019.
Apple additionally patched the CVE-2019-8564 vulnerability as part of protection replace issued for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14. Three, including a description of the problem to the patch changelog on April 15, someday before the researcher disclosed the vulnerabilities.
The most effective different supplier besides Apple and Broadcom which provided records approximately the vulnerability popularity in their devices is Extreme Networks, pronouncing in an April nine declaration that “For VU#166939, WiNG wi-fi merchandise from Extreme Networks, Inc. Aren’t affected due to the fact we do not use the affected chipsets or drivers.”