Broadcom WiFi chipset drivers had been determined to include vulnerabilities impacting a couple of running systems and allowing capability attackers to remotely execute arbitrary code and cause denial-of-provider consistent with a DHS/CISA alert and a CERT/CC vulnerability notice.
Quarkslab’s intern Hugues Anguelkov changed into the one who pronounced five vulnerabilities he located in the “Broadcom wl motive force and the open-source brcmfmac driver for Broadcom WiFi chipsets” whilst reversing engineering and fuzzing Broadcom WiFi chips firmware.
As he discovered, “The Broadcom wl driving force is at risk of two heap buffer overflows, and the open-supply brcmfmac motive force is liable to a frame validation skip and a heap buffer overflow.”
The Common Weakness Enumeration database describes heap buffer overflows inside the CWE-122 access, pointing out that they can lead to system crashes or the impacted software going into an endless loop, whilst also permitting attackers “to execute arbitrary code, that is usually outside the scope of a software’s implicit protection coverage” and bypassing safety offerings.
To underline the seriousness of the failings he observed, Anguelkov says in his evaluation:
You can locate these chips nearly anywhere from smartphones to laptops, smart-TVs, and IoT gadgets. You possibly use one without understanding it. For example, when you have a Dell pc, you’ll use a bcm43224 or a bcm4352 card. Likewise, you probably operate a Broadcom WiFi chip when you have an iPhone, a Mac e-book, a Samsung smartphone, or a Huawei telephone, and so on. Since these chips are so giant, they constitute an excessive price goal to attackers, and any vulnerability discovered in them needs to be considered to pose a high chance.
As the CERT/CC vulnerability word written using Trent Novelly explains, capacity is far off, and unauthenticated attackers may want to make the most of the Broadcom WiFi chipset motive force vulnerabilities through sending maliciously-crafted WiFi packets to execute arbitrary code on prone machines. However, as further unique with the aid of Novelly, “More generally, those vulnerabilities will bring about denial-of-service assaults.”
This is confirmed by Anguelkov, who said that “Two of these vulnerabilities are present each in the Linux kernel and firmware of affected Broadcom chips. The most commonplace exploitation state of affairs results in a faraway denial of service. Although it’s miles technically difficult to acquire, exploitation for far-flung code execution has to be now not discarded because of the worst-case state of affairs.”
CERT/CC vulnerability be aware describes the four brcmfmac and Broadcom wl drivers vulnerabilities (tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503) as follows:
Vulnerabilities in the open-source brcmfmac driving force:
• CVE-2019-9503: If the brcmfmac driving force receives a firmware occasion frame from a remote supply, the is_wlc_event_frame feature will motive this frame to be discarded and no longer be processed. If the motive force receives the firmware event body from the host, the best handler is called. This body validation may be bypassed if the bus used is USB (for example, via a wifi dongle.). This can permit firmware occasion frames from a far-flung supply to be processed.
• CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious occasion body can be built to trigger a heap buffer overflow in the brcmf_wowl_nd_results feature. This vulnerability may be exploited by using compromised chipsets to compromise the host, or while used in mixture with the above frame validation bypass, can be used remotely.
NOTE: The brcmfmac driving force best works with Broadcom FullMAC chipsets.
Vulnerabilities in the Broadcom wl driving force:
Two heap buffer may be caused by the patron when parsing an EAPOL message three during the 4-way handshake from the access point (AP).
• CVE-2019-9501: By imparting a seller statistics detail with an information period large than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
• CVE-2019-9502: If the vendor facts element statistics period is larger than 164 bytes, a heap buffer overflow is caused in wlc_wpa_plumb_gtk.
NOTE: When the wl driving force is used with SoftMAC chipsets, those vulnerabilities are triggered inside the host’s kernel. When a FullMAC chipset is being used, those vulnerabilities could be brought on inside the chipset’s firmware.
A list of all 166 vendors which use probably susceptible Broadcom WiFi chipsets within their devices is available at the give up of the CERT/CC vulnerability observed.
According to the distinct disclosure timeline published with the aid of Anguelkov, Broadcom patched the two vulnerabilities located inside the open-source brcmfmac Linux kernel wi-fi driving force for FullMAC playing cards on February 14, 2019.
Apple also patched the CVE-2019-8564 vulnerability as a protection replacement issued for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14. Three, including a description of the problem to the patch changelog on April 15, someday before the researcher disclosed the vulnerabilities.
The most effective different supplier besides Apple and Broadcom, which provided records approximately the vulnerability popularity in their devices, is Extreme Networks, pronouncing in an April nine declaration that “For VU#166939, WiNG wi-fi merchandise from Extreme Networks, Inc. Aren’t affected due to the fact we do not use the affected chipsets or drivers.”