Bug 1701224 (CVE-2019-9500)

Summary: CVE-2019-9500 kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, airlied, apmukher, asavkov, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mmezynsk, nmurray, plougher, rhandlin, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-04 13:07:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1701225, 1704879, 1704880, 1704881, 1704882, 1705384, 1705385, 1705386, 1705388, 1705389, 1751256, 1758122, 1759584, 1759585    
Bug Blocks: 1701228    

Description msiddiqu 2019-04-18 12:21:41 UTC 
If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw  (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out, although we believe it is unlikely.

Introduced in:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3021ad9a4f009265e6063e617fb91306980af16c

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b5e2423164b3670e8bc9174e4762d297990deff

External References:

https://kb.cert.org/vuls/id/166939/

https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html#cve-2019-9500-heap-buffer-overflow-in-brcmf-wowl-nd-results

https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/
Comment 1 msiddiqu 2019-04-18 12:22:00 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1701225]
Comment 2 Fedora Update System 2019-04-25 01:33:37 UTC 
kernel-5.0.9-200.fc29, kernel-headers-5.0.9-200.fc29, kernel-tools-5.0.9-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2019-04-25 23:24:30 UTC 
kernel-5.0.9-100.fc28, kernel-headers-5.0.9-100.fc28, kernel-tools-5.0.9-100.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 errata-xmlrpc 2019-09-03 17:41:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2600 https://access.redhat.com/errata/RHSA-2019:2600
Comment 12 errata-xmlrpc 2019-09-03 17:42:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2609 https://access.redhat.com/errata/RHSA-2019:2609
Comment 13 Product Security DevOps Team 2019-09-04 13:07:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9500
Comment 14 errata-xmlrpc 2019-09-10 19:00:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703
Comment 18 errata-xmlrpc 2019-09-11 16:42:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741
Comment 26 errata-xmlrpc 2019-10-01 07:59:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2945 https://access.redhat.com/errata/RHSA-2019:2945
Comment 29 errata-xmlrpc 2019-10-29 12:55:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217
Comment 30 errata-xmlrpc 2019-12-10 12:38:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:4168 https://access.redhat.com/errata/RHSA-2019:4168
Comment 31 errata-xmlrpc 2019-12-10 12:38:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:4171 https://access.redhat.com/errata/RHSA-2019:4171