search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Broadcom WiFi chipset drivers contain multiple vulnerabilities

Vulnerability Note VU#166939

Original Release Date: 2019-04-17 | Last Revised: 2019-04-23

Overview

The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.

Description

Quarkslab has researched and reported multiple vulnerabilities affecting Broadcom WiFi drivers.

Vulnerabilities in the open source brcmfmac driver:
CVE-2019-9503: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed.

CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

NOTE: The brcmfmac driver only works with Broadcom FullMAC chipsets.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).

CVE-2019-9501: By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.

CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.

NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset's firmware.

Impact

In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service conditions.

Solution

Apply Patches

The brcmfmac driver has been patched to address these vulnerabilities.

The following workarounds can help mitigate this and other WiFi vulnerabilities:

Use Trusted Wifi
Only use WiFi networks that you trust.

Vendor Information

166939
 
Affected   Unknown   Unaffected

Apple

Notified:  January 11, 2019 Updated:  April 12, 2019

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Broadcom

Notified:  January 11, 2019 Updated:  April 12, 2019

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Synology

Notified:  April 09, 2019 Updated:  April 23, 2019

Statement Date:   April 18, 2019

Status

  Affected

Vendor Statement

Please note that RT1900ac [1] employs `wpa_supplicant' for EAPOL handshakes instead of `broadcom-sta' by default, but administrators are capable of force enabling the proprietary driver. Hence, Synology considers this vulnerability has limited impact on RT1900ac. For the "brcmfmac" concern, RT1900ac is not affected as it employs Broadcom proprietary driver instead of the open source version.

[1] https://www.synology.com/products/RT1900ac

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.synology.com/security/advisory/Synology_SA_19_18

Aruba Networks

Notified:  April 09, 2019 Updated:  April 19, 2019

Statement Date:   April 16, 2019

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Brocade Communication Systems

Notified:  April 09, 2019 Updated:  April 19, 2019

Statement Date:   April 18, 2019

Status

  Not Affected

Vendor Statement

No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco

Notified:  April 09, 2019 Updated:  April 19, 2019

Statement Date:   April 18, 2019

Status

  Not Affected

Vendor Statement

Cisco has evaluated these vulnerabilities and confirmed that no Cisco products are impacted. This assessment is valid for all Cisco enterprise products and Cisco Small Business products.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Extreme Networks

Notified:  April 09, 2019 Updated:  April 12, 2019

Statement Date:   April 12, 2019

Status

  Not Affected

Vendor Statement

For VU#166939, WiNG wireless products from Extreme Networks, Inc. are not affected because we do not use the affected chipsets or drivers.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

LANCOM Systems GmbH

Notified:  April 09, 2019 Updated:  April 19, 2019

Statement Date:   April 16, 2019

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

LANCOM Systems confirms that no LANCOM product is affected.

Palo Alto Networks

Notified:  April 09, 2019 Updated:  April 19, 2019

Statement Date:   April 17, 2019

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Zyxel

Notified:  April 09, 2019 Updated:  April 19, 2019

Statement Date:   April 15, 2019

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Zyxel was initially marked as Affected, this was an error, Zyxel has stated that they are not affected by these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

A10 Networks

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ADTRAN

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ANTlabs

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ARRIS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AVM GmbH

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Actelis Networks

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Actiontec

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Aerohive

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AhnLab Inc

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AirWatch

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Akamai Technologies, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent Enterprise

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alpine Linux

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Android Open Source Project

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Appgate Network Security

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arch Linux

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AsusTek Computer Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Atheros Communications Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Barracuda Networks

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belden

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BlackBerry

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Blue Coat Systems

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BlueCat Networks, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CA Technologies

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CZ.NIC

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cambium Networks

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ceragon Networks Inc

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Comcast

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Command Software Systems

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cradlepoint

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dell

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dell EMC

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dell SecureWorks

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DesktopBSD

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Deutsche Telekom

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Devicescape

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Digi International

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EfficientIP SAS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Espressif Systems

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

European Registry for Internet Domains

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Express Logic

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F-Secure Corporation

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fastly

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Force10 Networks

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc.

Notified:  April 15, 2019 Updated:  April 15, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Brocade

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU glibc

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Geexbox

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HP Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HTC

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Honeywell

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Illumos

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

InfoExpress, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Systems Consortium

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Systems Consortium - DHCP

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Interniche Technologies, inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Joyent

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lantronix

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

LibreSSL

Notified:  April 12, 2019 Updated:  April 12, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Linksys

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Marvell Semiconductors

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MediaTek

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Medtronic

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MetaSwitch

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Micro Focus

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microchip Technology

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MikroTik

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Miredo

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mitel Networks, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NETSCOUT

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NLnet Labs

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Netgear, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nixu

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenConnect

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenDNS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenSSL

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Paessler

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Peplink

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Philips Electronics

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PowerDNS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Pulse Secure

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QLogic

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QUALCOMM Incorporated

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quantenna Communications

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Riverbed Technologies

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Rocket RTOS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Roku

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ruckus Wireless

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Samsung Mobile

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Samsung Semiconductor Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure64 Software Corporation

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sierra Wireless

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SmoothWall

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Snort

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SonicWall

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sonos

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sophos, Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sourcefire

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TDS Telecom

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TP-LINK

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Technicolor

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Toshiba Commerce Solutions

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TrueOS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

VMware

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Xilinx

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Zebra Technologies

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Zephyr Project

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

aep NETWORKS

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

dnsmasq

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eCosCentric

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eero

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

netsnmp

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

pfSense

Notified:  April 09, 2019 Updated:  April 09, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

wolfSSL

Notified:  April 12, 2019 Updated:  April 12, 2019

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 166 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 6.8 AV:A/AC:H/Au:N/C:C/I:C/A:C
Temporal 5.3 E:POC/RL:OF/RC:ND
Environmental 4.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Hugues Anguelkov during his internship at Quarkslab for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2019-9503, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502
Date Public: 2019-04-15
Date First Published: 2019-04-17
Date Last Updated: 2019-04-23 18:28 UTC
Document Revision: 34

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.