[German]A major vulnerability in Broadcom's WiFi drivers enables remote code execution and threatens millions of computers, smartphones, tablets and IoT devices.
Advertising
Broadcom WiFi chipset drivers appear to contain serious vulnerabilities that affect multiple operating systems. The vulnerabilities allow potential attackers to remotely execute arbitrary code and draw denial of service. There is now a DHS/CISA warning and a CERT/CC vulnerability description.
Description of vulnerabilities
The CERT/CC writes the following in its Vulnerability Note VU#166939 of April 17 , 2019:
The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.
There are probably buffer overflows in Boradcom's open source drivers. The following CVEs have been assigned to the brcmfmac driver:
- CVE-2019-9503: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle.). This can allow firmware event frames from a remote source to be processed.
- CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.
The brcmfmac driver only works with Broadcom FullMAC chipsets. However, there are also security holes in the Broadcom wl driver to which the following CVEs have been assigned.
- CVE-2019-9501: By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
- CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.
Note: If the wl driver is used with SoftMAC chipsets, these vulnerabilities will be triggered in the host kernel. When a FullMAC chipset is used, these vulnerabilities are triggered in the chipset's firmware.
Advertising
In the worst case, a remote, unauthenticated attacker is able to execute arbitrary code on a vulnerable system by sending specially designed WiFi packets. Typically, these vulnerabilities lead to denial of service attacks. However, Broadcom has now released updated drivers.
Intern finds five vulnerabilities
Bleeping Computer says here, that Quarkslabs intern Hugues Anguelkov found five vulnerabilities in the "Broadcom wl driver and in the open source brcmfmac driver for Broadcom WiFi chipsets". Hugues examined the Broadcom WiFi chip firmware for vulnerabilities using fuzzy techniques.
These chips can be found almost everywhere in devices, from smartphones to laptops, SmartTVs to IoT devices. Most users of such devices probably use such a driver without knowing it. For example, if you have a Dell laptop, you can use a bcm43224 or a bcm4352 card. It is also likely that users will use a Broadcom WiFi chip if they have an iPhone, a Mac book, a Samsumg or a Huawei smartphone, etc. Because these chips are so widespread, they are a valuable target for attackers, and any vulnerability found should therefore be considered a high risk.
A list of all 166 vendors that use potentially vulnerable Broadcom WiFi chipsets in their devices can be found at the end of the CERT/CC vulnerability note. In this blog post published by Hugues Anguelkov you can find the disclosure timeline. Broadcom patched the two vulnerabilities discovered in the open source brcmfmac Linux kernel wireless drivers for FullMAC cards on 14 February 2019.
Apple has also patched the CVE-2019-8564 vulnerability as part of a security update for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3, and on April 15, the day before the researcher announced the vulnerabilities, included a description of the problem in the patch change log.
The question remains as to whether and when the remaining manufacturers of the devices will provide appropriate firmware and driver updates. Further details can be found in Bleeping-Computer, in the blog post from Hugues Anguelkov and in the CERT/CC vulnerability note.
