Broadcom WiFi chipset drivers have been found to contain vulnerabilities impacting multiple operating systems and allowing potential attackers to remotely execute arbitrary code and to trigger denial-of-service according to a DHS/CISA alert and a CERT/CC vulnerability note.
Quarkslab’s intern Hugues Anguelkov was the one who reported five vulnerabilities he found in the “Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets” while reversing engineering and fuzzing Broadcom WiFi chips firmware.
As he discovered, “The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.”
The Common Weakness Enumeration database describes heap buffer overflows in the CWE-122 entry, stating that they can lead to system crashes or the impacted software going into an infinite loop, while also allowing attackers “to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy” and bypassing security services.
To underline the seriousness of the flaws he found, Anguelkov says in his analysis:
As the CERT/CC vulnerability note written by Trent Novelly explains, potential remote and unauthenticated attackers could exploit the Broadcom WiFi chipset driver vulnerabilities by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable machines. However, as further detailed by Novelly, “More typically, these vulnerabilities will result in denial-of-service attacks.”
This is confirmed by Anguelkov who said that “Two of those vulnerabilities are present both in the Linux kernel and firmware of affected Broadcom chips. The most common exploitation scenario leads to a remote denial of service. Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.”
CERT/CC vulnerability note describes the four brcmfmac and Broadcom wl drivers vulnerabilities (tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503) as follows:
A list of all 166 vendors which use potentially vulnerable Broadcom WiFi chipsets within their devices is available at the end of the CERT/CC vulnerability note.
According to the detailed disclosure timeline published by Anguelkov, Broadcom patched the two vulnerabilities discovered in the open source brcmfmac Linux kernel wireless driver for FullMAC cards on February 14, 2019.
Apple also patched the CVE-2019-8564 vulnerability as part of a security update issued for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3, adding a description of the issue to the patch changelog on April 15, one day before the researcher disclosed the vulnerabilities.
The only other vendor besides Apple and Broadcom which provided information about the vulnerability status of their devices is Extreme Networks, saying in an April 9 statement that “For VU#166939, WiNG wireless products from Extreme Networks, Inc. are not affected because we do not use the affected chipsets or drivers.”