It’s a fact that we’re facing new vulnerabilities daily. Today’s share of flaws comes from Broadcom WiFi chipset drivers. The flaws (CVE-2019-9503, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502) affect multiple operating systems and could allow remote attackers to perform arbitrary code execution resulting in denial-of-service condition.
Perhaps you’re aware that Broadcom is a leading vendor of wireless devices worldwide. The company offers wireless chips that can be found in a range of devices, from smartphones to laptops, smart-TVs and IoT devices.
So, how dangerous are the vulnerabilities? The official advisory reveals further details:
The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.
The vulnerabilities were reported by Hugues Anguelkov, intern at Quarkslab who discovered them while reverse-engineering Broadcom WiFi chips firmware.
In 2018, the researcher did a 6 months internship at Quarkslab with the purpose of reproducing and porting publicly known vulnerabilities to other vulnerable devices.
Details about CVE-2019-9503, CVE-2019-9500
These two vulnerabilities are located in the open source brcmfmac driver:
CVE-2019-9503 is triggered when the brcmfmac driver receives a firmware event frame from a remote source. As a result, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be circumvented if the bus used is USB. This can allow firmware event frames from a remote source to be processed, the advisory explained.
CVE-2019-9500 is triggered when the Wake-up on Wireless LAN functionality is configured. As a result, a malicious event frame can be formed to trigger a heap buffer overflow in the brcmf_wowl_nd_results function. The flaw can be exploited by vulnerable chipsets to compromise the host, or when utilized in combination with the above frame validation bypass, it can also be deployed remotely.
It should be noted that “the brcmfmac driver only works with Broadcom FullMAC chipsets”.
Details about CVE-2019-9501, CVE-2019-9502
These two heap buffer overflow vulnerabilities are located in the Broadcom wl driver. They can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point.
CVE-2019-9501 can be triggered by supplying a vendor information element with a data length larger than 32 bytes. As a result, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
CVE-2019-9502 becomes exploitable when the vendor information element data length is larger than 164 bytes. This also results in a heap buffer overflow which is triggered in wlc_wpa_plumb_gtk.
It should be noted that “when the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware”.
What’s the impact of the vulnerabilities?
By sending specially-crafted WiFi packets, a remote, unauthenticated attacker could be able to execute arbitrary code on a vulnerable system, resulting in denial-of-service attacks. The good news is that the brcmfmac driver has been patched to address the flaws.