Pierluigi Paganini April 19, 2019

Experts warn of security flaws in the Broadcom WiFi chipset drivers that could allow potential attackers to remotely execute arbitrary code and to trigger DoS.

According to a DHS/CISA alert and a CERT/CC vulnerability note, Broadcom WiFi chipset drivers are affected by security vulnerabilities impacting multiple operating systems. The flaws could be exploited to remotely execute arbitrary code and to trigger a denial-of-service condition.

“The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities in Broadcom Wi-Fi chipset drivers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the alert published by the DHS/CISA.

“The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.” reads the security advisory published by the CERT/CC.

The CERT/CC vulnerability note includes a list of all vendors potentially impacted by the flaws in Broadcom WiFi chipsets.

The flaws were discovered by Hugues Anguelkov during his internship at Quarkslab are tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

The heap buffer overflows could be exploited to execute arbitrary code on vulnerable systems.

“You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc.” reads the post published by Anguelkov.

“Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.”

According to the CERT/CC,
In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service attacks. a remote and unauthenticated attackers could exploit the flaws in Broadcom WiFi chipset driver by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable systems.

Anguelkov confirmed that two of those vulnerabilities affect both in the Linux kernel and firmware of affected Broadcom chips.

The researcher pointed out that the most common exploitation scenario leads to a remote denial of service.

“Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.” Anguelkov adds.

Below the details for the flaws:

Vulnerabilities in the open source brcmfmac driver:
• CVE-2019-9503: If the brcmfmac driver receives the firmware event frame from the host, the appropriate handler is called. It is possible to bypass frame validation by using the USB as a bus (for instance by a wifi dongle.). In this case, firmware event frames from a remote source will be processed.

• CVE-2019-9500: a malicious event frame can be crafted to trigger an heap buffer overflow in the brcmf_wowl_nd_results function when the Wake-up on Wireless LAN functionality is configured. This flaw could be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).
• CVE-2019-9501: supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
• CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.
NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.

The researcher published a timeline for the vulnerabilities that include information on patches released by some vendors.

Pierluigi Paganini

(SecurityAffairs – hacking, Broadcom WiFi chipset)

[adrotate banner=”5″]

[adrotate banner=”13″]