In drivers for Broadcom wireless chips
Issues were identified during reverse engineering of Broadcom firmware. Vulnerable chips are widely used in laptops, smartphones and various consumer devices, from smart TVs to IoT devices. In particular, Broadcom chips are used in smartphones from manufacturers such as Apple, Samsumg and Huawei. It is noteworthy that Broadcom was notified of the vulnerabilities back in September 2018, but it took about 7 months for the release of fixes coordinated with equipment manufacturers.
Two vulnerabilities affect internal firmware and potentially allow code to be executed in the environment used in Broadcom chips, which allows attacking non-Linux environments (for example, the possibility of attacking Apple devices has been confirmed,
In drivers, vulnerabilities appear both in the proprietary wl driver (SoftMAC and FullMAC) and in the open source brcmfmac (FullMAC). The wl driver has two buffer overflows exploited when the access point sends specially crafted EAPOL messages during the connection negotiation process (an attack can be made when connecting to a malicious access point). In the case of a chip with SoftMAC, vulnerabilities lead to a compromise of the system core, and in the case of FullMAC, the code can be executed on the firmware side. brcmfmac has a buffer overflow and a processing frame check error exploited by sending control frames. In the Linux kernel, problems in the brcmfmac driver
Identified vulnerabilities:
- CVE-2019-9503 - Incorrect behavior of the brcmfmac driver when processing control frames used to interact with the firmware. If a frame with a firmware event comes from an external source, the driver discards it, but if the event is received via the internal bus, the frame is skipped. The problem is that events from devices using USB are transmitted through the internal bus, which allows attackers to successfully transmit firmware control frames in the case of using wireless adapters with a USB interface;
- CVE-2019-9500 - Enabling "Wake-up on Wireless LAN" can cause a heap overflow in the brcmfmac driver (brcmf_wowl_nd_results function) by sending a specially modified control frame. This vulnerability can be used to organize the execution of code in the main system after a chip compromise or in combination with the CVE-2019-9503 vulnerability to bypass checks in the event of a remote control frame send;
- CVE-2019-9501 - Buffer overflow in the wl driver (wlc_wpa_sup_eapol function) that occurs when processing messages with manufacturer information field content exceeding 32 bytes;
- CVE-2019-9502 - Buffer overflow in the wl driver (wlc_wpa_plumb_gtk function) that occurs when processing messages with manufacturer information field content exceeding 164 bytes.
Source: opennet.ru