In drivers for Broadcom wireless chips four . In the simplest case, vulnerabilities can be used to remotely cause a denial of service, but scenarios are also possible in which exploits can be developed that allow an unauthenticated attacker to execute their code with Linux kernel privileges by sending specially crafted packets.
Issues were identified during reverse engineering of Broadcom firmware. Vulnerable chips are widely used in laptops, smartphones and various consumer devices, from smart TVs to IoT devices. In particular, Broadcom chips are used in smartphones from manufacturers such as Apple, Samsumg and Huawei. It is noteworthy that Broadcom was notified of the vulnerabilities back in September 2018, but it took about 7 months for the release of fixes coordinated with equipment manufacturers.
Two vulnerabilities affect internal firmware and potentially allow code to be executed in the environment used in Broadcom chips, which allows attacking non-Linux environments (for example, the possibility of attacking Apple devices has been confirmed, ). Recall that some Broadcom Wi-Fi chips are a specialized processor (ARM Cortex R4 or M3), which runs similar to its operating system from implementations of its 802.11 wireless stack (FullMAC). In such chips, the driver ensures the interaction of the main system with the firmware of the Wi-Fi chip. To gain full control over the main system after FullMAC is compromised, it is proposed to use additional vulnerabilities or, on some chips, take advantage of the availability of full access to system memory. In chips with SoftMAC, the 802.11 wireless stack is implemented on the driver side and runs using the system CPU.
In drivers, vulnerabilities appear both in the proprietary wl driver (SoftMAC and FullMAC) and in the open source brcmfmac (FullMAC). The wl driver has two buffer overflows exploited when the access point sends specially crafted EAPOL messages during the connection negotiation process (an attack can be made when connecting to a malicious access point). In the case of a chip with SoftMAC, vulnerabilities lead to a compromise of the system core, and in the case of FullMAC, the code can be executed on the firmware side. brcmfmac has a buffer overflow and a processing frame check error exploited by sending control frames. In the Linux kernel, problems in the brcmfmac driver in February.
Identified vulnerabilities:
- CVE-2019-9503 - Incorrect behavior of the brcmfmac driver when processing control frames used to interact with the firmware. If a frame with a firmware event comes from an external source, the driver discards it, but if the event is received via the internal bus, the frame is skipped. The problem is that events from devices using USB are transmitted through the internal bus, which allows attackers to successfully transmit firmware control frames in the case of using wireless adapters with a USB interface;
- CVE-2019-9500 - Enabling "Wake-up on Wireless LAN" can cause a heap overflow in the brcmfmac driver (brcmf_wowl_nd_results function) by sending a specially modified control frame. This vulnerability can be used to organize the execution of code in the main system after a chip compromise or in combination with the CVE-2019-9503 vulnerability to bypass checks in the event of a remote control frame send;
- CVE-2019-9501 - Buffer overflow in the wl driver (wlc_wpa_sup_eapol function) that occurs when processing messages with manufacturer information field content exceeding 32 bytes;
- CVE-2019-9502 - Buffer overflow in the wl driver (wlc_wpa_plumb_gtk function) that occurs when processing messages with manufacturer information field content exceeding 164 bytes.
Source: opennet.ru