Broadcom WiFi Chipset Driver Vulnerabilities: CERT Warning

Multiple vulnerabilities in drivers for two Broadcom WiFi chipsets could be exploited by a remote attacker to control an affected system, an alert posted by the U.S. Computer Emergency Readiness Team (CERT) said.

The flaws affect the Broadcom wl driver and the open-source brcmfmac driver. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow, the alert said.

Under the worst of circumstances, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system by sending specially-crafted WiFi packets. The likely event, however, is the chipset driver vulnerabilities would result in denial-of-service attacks, the note said.

The bugs were first reported in a blog post by Hugues Anguelkov during his internship at Quarkslab, a Paris-based security researcher. Broadcom was made aware of the vulnerabilities last September at which time it acknowledged Anguelkov’s report. In November, CERT’s coordination center for the Software Engineering Institute got involved, hence the subsequent Vulnerability Note VU#166939 issued on April 17, 2019.

As of late last month, Broadcom had still not confirmed or denied the bug report. At that time, Apple said it was working on a fix slated for release on April 14th, 2019. In the meantime, Broadcom has patched the brcmfmac driver to address these vulnerabilities, the alert said. Of note, according to CERT’s chronology of the bug notification history, Broadcom’s original response indicated that it did not support the brcmfmac driver and declined to provide information about the wl driver.

All told, some 166 vendors could be affected by the vulnerabilities. So far, Apple, Synology and Zyxel are affected. (On April 16, Apple issued its patch). Extreme Networks said that none of its WiNG wireless products are affected because it does not use the affected chipsets or drivers.

It’s not clear which among a long list of vendors, including AT&T, Blackberry, Brocade, Cisco, Dell, HP, IBM, Microsoft and others, have or will be affected by the vulnerabilities.

Broadcom is a key chip supplier for wireless devices worldwide, including not only smartphones but also smart televisions and a myriad of Internet of Things products. “Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk,” Anguelkov wrote in the blog post.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.