Security experts alerted users of serious security vulnerabilities within the Broadcom WiFi chipset drivers. These vulnerabilities may trigger various cybersecurity threats as they impact in a variety of ways. The flaws virtually affect multiple operating systems.
Vulnerabilities in Broadcom WiFi Chipset Drivers
According to a recently released CERT Coordination Center (CERT/CC) advisory, there exists multiple vulnerabilities in Broadcom WiFi chipset drivers. These vulnerabilities could give complete control of the target system to a remote attacker.
As elaborated in their vulnerability note VU#166939, as much as four different vulnerabilities existed in two different Broadcom drivers. Of these four, two vulnerabilities affected the open source brcmfmac driver, whereas the other two existed in the Broadcom wl driver.
Describing the first vulnerability (CVE-2019-9503) in the brcmfmac driver, the advisory states,
“If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called.”
However, using a USB (such as a WiFi dongle) as the bus bypasses this verification. Thus, enabling the firmware event from a remote source to process.
Whereas, the other bug (CVE-2019-9500) may either allow an attacker to compromise the host, or to wage an attack while exploiting it in combination with the bug CVE-2019-9503. As stated in the CERT/CC advisory,
“If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function.”
Apart from these, the advisory also highlighted two heap overflow bugs, CVE-2019-9501, and CVE-2019-9502 in the Broadcom wl driver.
“Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).”
Impact Of Vulnerabilities And The Patch
As explained in the CERT/CC advisory, the Broadcom open source brcmfmac driver only works with FullMAC chipsets. However, the vulnerabilities wl driver behave differently.
“When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.”
Regarding the impact of these flaws, a potential unauthenticated remote attacker may execute arbitrary code on the target system by sending maliciously crafted WiFi packets. A typical result of such attacks may appear as a denial of service.
The advisory further lists all the vendors affected or unaffected by these vulnerabilities. Since the patched brcmfmac driver is available, the affected users must ensure they update their systems accordingly. For other possible mitigation users should always use trusted WiFi networks only.