search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Broadcom WiFi chipset drivers contain multiple vulnerabilities

Vulnerability Note VU#166939

Original Release Date: 2019-04-17 | Last Revised: 2019-04-23

Overview

The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.

Description

Quarkslab has researched and reported multiple vulnerabilities affecting Broadcom WiFi drivers.

Vulnerabilities in the open source brcmfmac driver:
CVE-2019-9503: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed.

CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

NOTE: The brcmfmac driver only works with Broadcom FullMAC chipsets.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).

CVE-2019-9501: By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.

CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.

NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset's firmware.

Impact

In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service conditions.

Solution

Apply Patches

The brcmfmac driver has been patched to address these vulnerabilities.

The following workarounds can help mitigate this and other WiFi vulnerabilities:

Use Trusted Wifi
Only use WiFi networks that you trust.

Vendor Information

166939
 
Expand all

View all 166 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 6.8 AV:A/AC:H/Au:N/C:C/I:C/A:C
Temporal 5.3 E:POC/RL:OF/RC:ND
Environmental 4.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Hugues Anguelkov during his internship at Quarkslab for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2019-9503, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502
Date Public: 2019-04-15
Date First Published: 2019-04-17
Date Last Updated: 2019-04-23 18:28 UTC
Document Revision: 35

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis