Bug 1701224 (CVE-2019-9500) - CVE-2019-9500 kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results
Summary: CVE-2019-9500 kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9500
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1704880 1704882 1758122 1759584 1759585 1701225 1704879 1704881 1705384 1705385 1705386 1705388 1705389 1751256
Blocks: 1701228
TreeView+ depends on / blocked
 
Reported: 2019-04-18 12:21 UTC by msiddiqu
Modified: 2019-10-29 12:55 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out.
Clone Of:
Environment:
Last Closed: 2019-09-04 13:07:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2693 None None None 2019-09-09 23:27:28 UTC
Red Hat Product Errata RHBA-2019:2767 None None None 2019-09-12 19:12:28 UTC
Red Hat Product Errata RHBA-2019:2960 None None None 2019-10-03 10:06:21 UTC
Red Hat Product Errata RHBA-2019:2961 None None None 2019-10-03 10:12:15 UTC
Red Hat Product Errata RHSA-2019:2600 None None None 2019-09-03 17:41:09 UTC
Red Hat Product Errata RHSA-2019:2609 None None None 2019-09-03 17:42:23 UTC
Red Hat Product Errata RHSA-2019:2703 None None None 2019-09-10 19:00:11 UTC
Red Hat Product Errata RHSA-2019:2741 None None None 2019-09-11 16:42:08 UTC
Red Hat Product Errata RHSA-2019:2945 None None None 2019-10-01 07:59:22 UTC
Red Hat Product Errata RHSA-2019:3217 None None None 2019-10-29 12:55:41 UTC

Description msiddiqu 2019-04-18 12:21:41 UTC
If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw  (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out, although we believe it is unlikely.

Introduced in:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3021ad9a4f009265e6063e617fb91306980af16c

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b5e2423164b3670e8bc9174e4762d297990deff

External References:

https://kb.cert.org/vuls/id/166939/

https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html#cve-2019-9500-heap-buffer-overflow-in-brcmf-wowl-nd-results

https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/

Comment 1 msiddiqu 2019-04-18 12:22:00 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1701225]

Comment 2 Fedora Update System 2019-04-25 01:33:37 UTC
kernel-5.0.9-200.fc29, kernel-headers-5.0.9-200.fc29, kernel-tools-5.0.9-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2019-04-25 23:24:30 UTC
kernel-5.0.9-100.fc28, kernel-headers-5.0.9-100.fc28, kernel-tools-5.0.9-100.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 errata-xmlrpc 2019-09-03 17:41:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2600 https://access.redhat.com/errata/RHSA-2019:2600

Comment 12 errata-xmlrpc 2019-09-03 17:42:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2609 https://access.redhat.com/errata/RHSA-2019:2609

Comment 13 Product Security DevOps Team 2019-09-04 13:07:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9500

Comment 14 errata-xmlrpc 2019-09-10 19:00:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703

Comment 18 errata-xmlrpc 2019-09-11 16:42:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741

Comment 26 errata-xmlrpc 2019-10-01 07:59:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2945 https://access.redhat.com/errata/RHSA-2019:2945

Comment 29 errata-xmlrpc 2019-10-29 12:55:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217


Note You need to log in before you can comment on or make changes to this bug.