If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed and this can result in denial of service (DoS) condition. Introduced in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=5b435de0d786869c95d1962121af0d7df2542009 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a4176ec356c73a46c07c181c6d04039fafa34a9f External References: https://kb.cert.org/vuls/id/166939/ https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html#cve-2019-9503-remotely-sending-firmware-events-bypassing-is-wlc-event-frame https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1701843]
Note: This vulnerability was originally called CVE-2019-8564 by mistake.
kernel-5.0.11-100.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2741 https://access.redhat.com/errata/RHSA-2019:2741
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9503
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1016 https://access.redhat.com/errata/RHSA-2020:1016
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1070 https://access.redhat.com/errata/RHSA-2020:1070
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:2522 https://access.redhat.com/errata/RHSA-2020:2522