Reportedly, the flaws in the Broadcom WiFi chipset drivers
are causing a lot of trouble for phones and operating systems that are exposed
to it.
This means, attackers could be allowed to execute arbitrary
code and initiate DOS. (Denial of Service)
As reported by an intern of a reputed lab, the Broadcom
drivers and the open source “brcmfmac” driver possess several vulnerabilities.
As it turns out, the Broadcom drivers are susceptible to
“two heap buffer overflows.” Whereas, the ‘brcmfmac’ drivers are susceptible to
frame validation bypass as well as heap buffer overflow.
Per the Common Weakness Enumeration database, the heap
buffer overflows could cause the software to run in an infinite loop, system
crashes, along with execution of arbitrary code.
These above activities are evidently beyond the security
policies and security services.
The aforementioned Broadcom WiFi chips are insidiously used
by almost everyone without their knowing it. From a laptop through the IoT
devices to the smart TVs all the devices have these chip drivers.
As these chips are enormously prevalent, they comprise of an
even more enormous target range. Any simple vulnerability or flaw found in them
could be a matter of serious risk.
The Broadcom WiFi chipset drivers could be easily exploited
by the unauthenticated attackers by way of sending malicious “WiFi packets”.
These packets would later on help in initiating the
arbitrary code execution. All the attacks would simply lead to Denial of
Service.
In the list of the risks that stand to vulnerable devices,
Denial of Service attacks and arbitrary code execution are on the top. These
flaws were found also in Linux kernel and the firmware of Broadcom chips.
According to the source note, the four brcmfmac and Broadcom
wl drivers vulnerability is of the sort, CVE-2019-8564, CVE-2019-9500,
CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.
· CVE-2019-9503:
When the driver receives the firmware event frame from the remote source, it
gets discarded and isn’t processed. When the same is done from the host the
appropriate handler is called. This validation could be bypassed if the bus
used is a USB.
· CVE-2019-9500:
A malicious event frame could be constructed to trigger a heap buffer overflow.
· CVE-2019-9501:
The vendor is supplied with the information with data larger than 32 bytes
and a heap buffer overflow is triggered
in “wlc_wpa_sup_eapol”
· CVE-2019-9502:
when the vendor information data length is larger than 164 bytes a heap buffer
overflow is triggered in “wlc_wpa_plumb_gtk”
If the wl driver’s used with
SoftMAC chipsets the vulnerabilities are triggered in the host’s kernel
whereas, when used with FullMAC chipset, they are triggered in chipset’s
firmware.
There are approximately over
160 vendors that stand vulnerable to Broadcom WiFi chipsets within their
devices.
Two of Broadcom’s
vulnerabilities were patched which were found in the open source brcmfmac Linux
kernel.
CVE-2019-8564 vulnerability had
been patched by Apple as a part of their security update, a day before the developer
revealed the vulnerabilities.