If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out, although we believe it is unlikely. Introduced in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3021ad9a4f009265e6063e617fb91306980af16c An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b5e2423164b3670e8bc9174e4762d297990deff External References: https://kb.cert.org/vuls/id/166939/ https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html#cve-2019-9500-heap-buffer-overflow-in-brcmf-wowl-nd-results https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1701225]
kernel-5.0.9-200.fc29, kernel-headers-5.0.9-200.fc29, kernel-tools-5.0.9-200.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
kernel-5.0.9-100.fc28, kernel-headers-5.0.9-100.fc28, kernel-tools-5.0.9-100.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2600 https://access.redhat.com/errata/RHSA-2019:2600
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2609 https://access.redhat.com/errata/RHSA-2019:2609
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9500
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2945 https://access.redhat.com/errata/RHSA-2019:2945
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3217 https://access.redhat.com/errata/RHSA-2019:3217
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:4168 https://access.redhat.com/errata/RHSA-2019:4168
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2019:4171 https://access.redhat.com/errata/RHSA-2019:4171