Vulnerabilities in drivers for Broadcom WiFi chips that allow remote attacks on the system

In drivers for Broadcom wireless chips revealed four vulnerabilitiesIn the simplest case, vulnerabilities can be used to cause a remote denial of service, but scenarios cannot be ruled out in which exploits can be developed that allow an unauthenticated attacker to execute their code with kernel privileges. Linux by sending specially designed packages.

Issues were identified during reverse engineering of Broadcom firmware. Vulnerable chips are widely used in laptops, smartphones and various consumer devices, from smart TVs to IoT devices. In particular, Broadcom chips are used in smartphones from manufacturers such as Apple, Samsumg and Huawei. It is noteworthy that Broadcom was notified of the vulnerabilities back in September 2018, but it took about 7 months for the release of fixes coordinated with equipment manufacturers.

Two vulnerabilities affect internal firmware and potentially allow code execution in the environment of the operating system used in Broadcom chips, which allows attacks on environments that do not use Linux (for example, the possibility of attacking Apple devices has been confirmed, CVE-2019-8564). Recall that some Broadcom Wi-Fi chips are a specialized processor (ARM Cortex R4 or M3), which runs similar to its operating system from implementations of its 802.11 wireless stack (FullMAC). In such chips, the driver ensures the interaction of the main system with the firmware of the Wi-Fi chip. To gain full control over the main system after FullMAC is compromised, it is proposed to use additional vulnerabilities or, on some chips, take advantage of the availability of full access to system memory. In chips with SoftMAC, the 802.11 wireless stack is implemented on the driver side and runs using the system CPU.


Vulnerabilities in drivers for Broadcom WiFi chips that allow remote attacks on the system

Driver vulnerabilities affect both the proprietary wl driver (SoftMAC and FullMAC) and the open-source brcmfmac (FullMAC). Two buffer overflows were detected in the wl driver, exploited when the access point transmits specially crafted EAPOL messages during connection negotiation (an attack can be performed when connecting to a malicious access point). In the case of the SoftMAC chip, the vulnerabilities lead to kernel compromise, while in the case of FullMAC, code execution can occur in the firmware. In brcmfmac, a buffer overflow and a frame validation error are present, exploited by sending control frames. In the kernel Linux problems with the brcmfmac driver were eliminated in February.

Identified vulnerabilities:

  • CVE-2019-9503 - Incorrect behavior of the brcmfmac driver when processing control frames used to interact with the firmware. If a frame with a firmware event comes from an external source, the driver discards it, but if the event is received via the internal bus, the frame is skipped. The problem is that events from devices using USB are transmitted through the internal bus, which allows attackers to successfully transmit firmware control frames in the case of using wireless adapters with a USB interface;
  • CVE-2019-9500 - Enabling "Wake-up on Wireless LAN" can cause a heap overflow in the brcmfmac driver (brcmf_wowl_nd_results function) by sending a specially modified control frame. This vulnerability can be used to organize the execution of code in the main system after a chip compromise or in combination with the CVE-2019-9503 vulnerability to bypass checks in the event of a remote control frame send;
  • CVE-2019-9501 - Buffer overflow in the wl driver (wlc_wpa_sup_eapol function) that occurs when processing messages with manufacturer information field content exceeding 32 bytes;
  • CVE-2019-9502 - Buffer overflow in the wl driver (wlc_wpa_plumb_gtk function) that occurs when processing messages with manufacturer information field content exceeding 164 bytes.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster