Broadcom WiFi chipset driver vulnerabilities

WiFi chipset driver vulnerabilities

The CERT Coordination Center (CERT/CC) has released a security advisory describing multiple vulnerabilities that impact Broadcom WiFi chipset drivers. Four vendors have confirmed they are impacted at the time of the latest published advisory on Wednesday.

CERT/CC has confirmed the Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities.

The Broadcom wl driver is vulnerable to two heap buffer overflow vulnerabilities (CVE-2019-9501 and CVE-2019-9502) that “can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).”

The open-source brcmfmac driver is vulnerable to a frame validation bypass bug (CVE-2019-9503) and a heap buffer overflow bug (CVE-2019-9500).

US/CERT wrote that a remote, unauthenticated attacker could send specially-crafted WiFi packets that typically result in a denial-of-service attack on vulnerable systems. In the worst case scenario, attackers could also execute arbitrary code.

As of April 15, the four vendors listed as impacted by the vulnerabilities include: Apple, Broadcom, Synology and Zyxel. None of the vendors had provided statements regarding the vulnerabilities at the time of the latest publication.

Extreme Networks was listed in the advisory as NOT impacted and other vendors were listed as “unknown” to be affected by the WiFi chipset driver vulnerabilities.

The brcmfmac driver has been patched to address these vulnerabilities.

For the tech savvy, you can read more vulnerability details in a blog post by Hugues Anguelkov of QuarksLab.