Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks

Broadcom WiFi chipset drivers have been found to contain vulnerabilities impacting multiple operating systems and allowing potential attackers to remotely execute arbitrary code and to trigger denial-of-service according to a DHS/CISA alert and a CERT/CC vulnerability note.

Quarkslab's intern Hugues Anguelkov was the one who reported five vulnerabilities he found in the "Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets" while reversing engineering and fuzzing Broadcom WiFi chips firmware.

As he discovered, "The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow."

The Common Weakness Enumeration database describes heap buffer overflows in the CWE-122 entry, stating that they can lead to system crashes or the impacted software going into an infinite loop, while also allowing attackers "to execute arbitrary code, which is usually outside the scope of a program's implicit security policy" and bypassing security services.

To underline the seriousness of the flaws he found, Anguelkov says in his analysis:

You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc. Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.

As the CERT/CC vulnerability note written by Trent Novelly explains, potential remote and unauthenticated attackers could exploit the Broadcom WiFi chipset driver vulnerabilities by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable machines. However, as further detailed by Novelly, "More typically, these vulnerabilities will result in denial-of-service attacks."

This is confirmed by Anguelkov who said that "Two of those vulnerabilities are present both in the Linux kernel and firmware of affected Broadcom chips. The most common exploitation scenario leads to a remote denial of service. Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario."

CERT/CC vulnerability note describes the four brcmfmac and Broadcom wl drivers vulnerabilities (tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503) as follows:

Vulnerabilities in the open source brcmfmac driver:
CVE-2019-9503: If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle.). This can allow firmware event frames from a remote source to be processed.
CVE-2019-9500: If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.
NOTE: The brcmfmac driver only works with Broadcom FullMAC chipsets.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).
CVE-2019-9501: By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.
NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host's kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset's firmware.

A list of all 166 vendors which use potentially vulnerable Broadcom WiFi chipsets within their devices is available at the end of the CERT/CC vulnerability note.

According to the detailed disclosure timeline published by Anguelkov, Broadcom patched the two vulnerabilities discovered in the open source brcmfmac Linux kernel wireless driver for FullMAC cards on February 14, 2019.

Apple also patched the CVE-2019-8564 vulnerability as part of a security update issued for macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and macOS Mojave 10.14.3, adding a description of the issue to the patch changelog on April 15, one day before the researcher disclosed the vulnerabilities.

The only other vendor besides Apple and Broadcom which provided information about the vulnerability status of their devices is Extreme Networks, saying in an April 9 statement that "For VU#166939, WiNG wireless products from Extreme Networks, Inc. are not affected because we do not use the affected chipsets or drivers."

Related Articles:

Hackers exploit critical RCE flaw in Bricks WordPress site builder

SolarWinds fixes critical RCE bugs in access rights audit solution

JetBrains warns of new TeamCity auth bypass vulnerability

45k Jenkins servers exposed to RCE attacks using public exploits

CISA tags Microsoft SharePoint RCE bug as actively exploited