Vulnerabilites related to broadcom - bcm4339
var-202002-0375
Vulnerability from variot
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. Broadcom Made Wi-Fi For chipset Broadcom wl Drivers and open source brcmfmac There are multiple vulnerabilities in the driver. Broadcom wl Driver vulnerabilities : Client is an access point (AP) To do with 4-way During handshake EAPOL message 3 In the analysis process of 2 There are two heap buffer overflows. FullMAC When used in a chipset, these buffer overflows occur in the chipset firmware. Open source brcmfmac Vulnerability present in the driver : brcmfmac Driver is Broadcom FullMAC This driver works only with the chipset. Vulnerability to avoid frame verification - CVE-2019-9503 brcmfmac If the driver receives a firmware event frame from a remote source, is_wlc_event_frame This function is designed to discard this frame and call the appropriate handler when a firmware event frame is received from the host. However, the bus connecting the chipset USB in the case of ( For example Wi-Fi Dongle etc. ) , The frame verification process according to the above source may be bypassed and firmware event frames from remote sources may be processed. Heap buffer overflow - CVE-2019-9500 Wake-up on Wireless LAN If the feature is enabled, by processing a specially crafted event frame, brcmf_wowl_nd_results A heap buffer overflow may occur in the function. Also, the vulnerability of frame verification avoidance (CVE-2019-9503) By combining with, it can be exploited for remote attacks.Crafted Wi-Fi Denial of service by processing frames (DoS) It can cause a condition. In some situations, arbitrary code may be executed. Attackers may exploit these issues to execute arbitrary code within the context of the affected application. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0375",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "router manager",
"scope": "eq",
"trust": 1.3,
"vendor": "synology",
"version": "1.2"
},
{
"model": "bcm4339",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "apple",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "broadcom",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "synology",
"version": null
},
{
"model": "driver",
"scope": null,
"trust": 0.8,
"vendor": "brcmfmac",
"version": null
},
{
"model": "w1 driver",
"scope": null,
"trust": 0.8,
"vendor": "broadcom",
"version": null
},
{
"model": "wifi driver",
"scope": "eq",
"trust": 0.3,
"vendor": "broadcom",
"version": "0"
},
{
"model": "bcm4352",
"scope": "eq",
"trust": 0.3,
"vendor": "broadcom",
"version": "6.30.223.0"
},
{
"model": "bcm43236",
"scope": "eq",
"trust": 0.3,
"vendor": "broadcom",
"version": "6.37.14.105"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9502"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:synology:router_manager:1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:broadcom:bcm4339_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:broadcom:bcm4339:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-9502"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Hugues Anguelkov",
"sources": [
{
"db": "BID",
"id": "108013"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
],
"trust": 0.9
},
"cve": "CVE-2019-9502",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "VHN-160937",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:A/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CVE-2019-9502",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"author": "cret@cert.org",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-9502",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "cret@cert.org",
"id": "CVE-2019-9502",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-964",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-160937",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2019-9502",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-160937"
},
{
"db": "VULMON",
"id": "CVE-2019-9502"
},
{
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. Broadcom Made Wi-Fi For chipset Broadcom wl Drivers and open source brcmfmac There are multiple vulnerabilities in the driver. Broadcom wl Driver vulnerabilities : Client is an access point (AP) To do with 4-way During handshake EAPOL message 3 In the analysis process of 2 There are two heap buffer overflows. FullMAC When used in a chipset, these buffer overflows occur in the chipset firmware. Open source brcmfmac Vulnerability present in the driver : brcmfmac Driver is Broadcom FullMAC This driver works only with the chipset. Vulnerability to avoid frame verification - CVE-2019-9503 brcmfmac If the driver receives a firmware event frame from a remote source, is_wlc_event_frame This function is designed to discard this frame and call the appropriate handler when a firmware event frame is received from the host. However, the bus connecting the chipset USB in the case of ( For example Wi-Fi Dongle etc. ) , The frame verification process according to the above source may be bypassed and firmware event frames from remote sources may be processed. Heap buffer overflow - CVE-2019-9500 Wake-up on Wireless LAN If the feature is enabled, by processing a specially crafted event frame, brcmf_wowl_nd_results A heap buffer overflow may occur in the function. Also, the vulnerability of frame verification avoidance (CVE-2019-9503) By combining with, it can be exploited for remote attacks.Crafted Wi-Fi Denial of service by processing frames (DoS) It can cause a condition. In some situations, arbitrary code may be executed. \nAttackers may exploit these issues to execute arbitrary code within the context of the affected application. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "VULHUB",
"id": "VHN-160937"
},
{
"db": "VULMON",
"id": "CVE-2019-9502"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#166939",
"trust": 3.7
},
{
"db": "NVD",
"id": "CVE-2019-9502",
"trust": 2.9
},
{
"db": "BID",
"id": "108013",
"trust": 1.0
},
{
"db": "JVN",
"id": "JVNVU90663693",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201904-964",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2022.0610",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2309",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0614",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0215",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-160937",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2019-9502",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "VULHUB",
"id": "VHN-160937"
},
{
"db": "VULMON",
"id": "CVE-2019-9502"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
]
},
"id": "VAR-202002-0375",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-160937"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-26T22:39:51.191000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Connecting Everything ",
"trust": 0.8,
"url": "https://www.broadcom.com/"
},
{
"title": "Broadcom WiFi Chipset Drivers Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91777"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2020/07/15/july_2020_patch_tuesday/"
},
{
"title": "Huawei Security Advisories: Security Advisory - Two Heap Buffer Overflow Vulnerabilities in Broadcom WiFi Chipset Drivers",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=huawei_security_advisories\u0026qid=a3f3540316426ad86e8026fbac500d9a"
},
{
"title": "Awesome CVE PoC",
"trust": 0.1,
"url": "https://github.com/lnick2023/nicenice "
},
{
"title": "Awesome CVE PoC",
"trust": 0.1,
"url": "https://github.com/xbl3/awesome-cve-poc_qazbnm456 "
},
{
"title": "PoC in GitHub",
"trust": 0.1,
"url": "https://github.com/0xt11/cve-poc "
},
{
"title": "PoC in GitHub",
"trust": 0.1,
"url": "https://github.com/developer3000s/poc-in-github "
},
{
"title": "Awesome CVE PoC",
"trust": 0.1,
"url": "https://github.com/qazbnm456/awesome-cve-poc "
},
{
"title": "PoC in GitHub",
"trust": 0.1,
"url": "https://github.com/hectorgie/poc-in-github "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-9502"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-160937"
},
{
"db": "NVD",
"id": "CVE-2019-9502"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.7,
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"trust": 1.8,
"url": "https://kb.cert.org/vuls/id/166939/"
},
{
"trust": 1.7,
"url": "https://www.kb.cert.org/vuls/id/166939/"
},
{
"trust": 0.9,
"url": "http://www.linux.org/"
},
{
"trust": 0.9,
"url": "https://www.synology.com/en-global/security/advisory/synology_sa_19_18"
},
{
"trust": 0.8,
"url": "https://lore.kernel.org/linux-wireless/1550148232-4309-1-git-send-email-arend.vanspriel@broadcom.com"
},
{
"trust": 0.8,
"url": "https://broadcom.com/"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/linus/a4176ec356c73a46c07c181c6d04039fafa34a9f"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff"
},
{
"trust": 0.8,
"url": "https://www.synology.com/security/advisory/synology_sa_19_18"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9500"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9501"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9502"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9503"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu90663693/"
},
{
"trust": 0.8,
"url": "https://lore.kernel.org/linux-wireless/1550148232-4309-1-git-send-email-arend.vanspriel@broadcom.com/"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4176ec356c73a46c07c181c6d04039fafa34a9f"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b5e2423164b3670e8bc9174e4762d297990deff"
},
{
"trust": 0.7,
"url": "https://www.securityfocus.com/bid/108013"
},
{
"trust": 0.6,
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190017"
},
{
"trust": 0.6,
"url": "https://source.android.com/security/bulletin/2020-07-01"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9502"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/google-android-pixel-multiple-vulnerabilities-of-july-2020-32744"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2309/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0614"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0215"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0610"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.kb.cert.org/vuls/id/166939"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "VULHUB",
"id": "VHN-160937"
},
{
"db": "VULMON",
"id": "CVE-2019-9502"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "VULHUB",
"id": "VHN-160937"
},
{
"db": "VULMON",
"id": "CVE-2019-9502"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-17T00:00:00",
"db": "CERT/CC",
"id": "VU#166939"
},
{
"date": "2020-02-03T00:00:00",
"db": "VULHUB",
"id": "VHN-160937"
},
{
"date": "2020-02-03T00:00:00",
"db": "VULMON",
"id": "CVE-2019-9502"
},
{
"date": "2019-04-17T00:00:00",
"db": "BID",
"id": "108013"
},
{
"date": "2019-04-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"date": "2020-02-03T21:15:11.547000",
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"date": "2019-04-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-23T00:00:00",
"db": "CERT/CC",
"id": "VU#166939"
},
{
"date": "2020-02-10T00:00:00",
"db": "VULHUB",
"id": "VHN-160937"
},
{
"date": "2020-02-10T00:00:00",
"db": "VULMON",
"id": "CVE-2019-9502"
},
{
"date": "2019-04-17T00:00:00",
"db": "BID",
"id": "108013"
},
{
"date": "2019-04-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"date": "2020-02-10T14:31:55.877000",
"db": "NVD",
"id": "CVE-2019-9502"
},
{
"date": "2022-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Broadcom WiFi chipset drivers contain multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-964"
}
],
"trust": 0.6
}
}
var-202002-0374
Vulnerability from variot
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. Broadcom Made Wi-Fi For chipset Broadcom wl Drivers and open source brcmfmac There are multiple vulnerabilities in the driver. Broadcom wl Driver vulnerabilities : Client is an access point (AP) To do with 4-way During handshake EAPOL message 3 In the analysis process of 2 There are two heap buffer overflows. FullMAC When used in a chipset, these buffer overflows occur in the chipset firmware. Open source brcmfmac Vulnerability present in the driver : brcmfmac Driver is Broadcom FullMAC This driver works only with the chipset. Vulnerability to avoid frame verification - CVE-2019-9503 brcmfmac If the driver receives a firmware event frame from a remote source, is_wlc_event_frame This function is designed to discard this frame and call the appropriate handler when a firmware event frame is received from the host. However, the bus connecting the chipset USB in the case of ( For example Wi-Fi Dongle etc. ) , The frame verification process according to the above source may be bypassed and firmware event frames from remote sources may be processed. Heap buffer overflow - CVE-2019-9500 Wake-up on Wireless LAN If the feature is enabled, by processing a specially crafted event frame, brcmf_wowl_nd_results A heap buffer overflow may occur in the function. Also, the vulnerability of frame verification avoidance (CVE-2019-9503) By combining with, it can be exploited for remote attacks.Crafted Wi-Fi Denial of service by processing frames (DoS) It can cause a condition. In some situations, arbitrary code may be executed. Attackers may exploit these issues to execute arbitrary code within the context of the affected application. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202002-0374",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "router manager",
"scope": "eq",
"trust": 1.3,
"vendor": "synology",
"version": "1.2"
},
{
"model": "bcm4339",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "apple",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "broadcom",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "synology",
"version": null
},
{
"model": "driver",
"scope": null,
"trust": 0.8,
"vendor": "brcmfmac",
"version": null
},
{
"model": "w1 driver",
"scope": null,
"trust": 0.8,
"vendor": "broadcom",
"version": null
},
{
"model": "wifi driver",
"scope": "eq",
"trust": 0.3,
"vendor": "broadcom",
"version": "0"
},
{
"model": "bcm4352",
"scope": "eq",
"trust": 0.3,
"vendor": "broadcom",
"version": "6.30.223.0"
},
{
"model": "bcm43236",
"scope": "eq",
"trust": 0.3,
"vendor": "broadcom",
"version": "6.37.14.105"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9501"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:synology:router_manager:1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:broadcom:bcm4339_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:broadcom:bcm4339:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-9501"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Hugues Anguelkov",
"sources": [
{
"db": "BID",
"id": "108013"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
],
"trust": 0.9
},
"cve": "CVE-2019-9501",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "VHN-160936",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:A/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "VULMON",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.5,
"id": "CVE-2019-9501",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.1,
"userInteractionRequired": null,
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"author": "cret@cert.org",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-9501",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "cret@cert.org",
"id": "CVE-2019-9501",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201904-965",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-160936",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2019-9501",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-160936"
},
{
"db": "VULMON",
"id": "CVE-2019-9501"
},
{
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions. Broadcom Made Wi-Fi For chipset Broadcom wl Drivers and open source brcmfmac There are multiple vulnerabilities in the driver. Broadcom wl Driver vulnerabilities : Client is an access point (AP) To do with 4-way During handshake EAPOL message 3 In the analysis process of 2 There are two heap buffer overflows. FullMAC When used in a chipset, these buffer overflows occur in the chipset firmware. Open source brcmfmac Vulnerability present in the driver : brcmfmac Driver is Broadcom FullMAC This driver works only with the chipset. Vulnerability to avoid frame verification - CVE-2019-9503 brcmfmac If the driver receives a firmware event frame from a remote source, is_wlc_event_frame This function is designed to discard this frame and call the appropriate handler when a firmware event frame is received from the host. However, the bus connecting the chipset USB in the case of ( For example Wi-Fi Dongle etc. ) , The frame verification process according to the above source may be bypassed and firmware event frames from remote sources may be processed. Heap buffer overflow - CVE-2019-9500 Wake-up on Wireless LAN If the feature is enabled, by processing a specially crafted event frame, brcmf_wowl_nd_results A heap buffer overflow may occur in the function. Also, the vulnerability of frame verification avoidance (CVE-2019-9503) By combining with, it can be exploited for remote attacks.Crafted Wi-Fi Denial of service by processing frames (DoS) It can cause a condition. In some situations, arbitrary code may be executed. \nAttackers may exploit these issues to execute arbitrary code within the context of the affected application. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "VULHUB",
"id": "VHN-160936"
},
{
"db": "VULMON",
"id": "CVE-2019-9501"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#166939",
"trust": 3.7
},
{
"db": "NVD",
"id": "CVE-2019-9501",
"trust": 2.9
},
{
"db": "BID",
"id": "108013",
"trust": 1.0
},
{
"db": "JVN",
"id": "JVNVU90663693",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201904-965",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2022.0610",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2309",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0614",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0215",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-160936",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2019-9501",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "VULHUB",
"id": "VHN-160936"
},
{
"db": "VULMON",
"id": "CVE-2019-9501"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
]
},
"id": "VAR-202002-0374",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-160936"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-26T19:32:31.882000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Connecting Everything ",
"trust": 0.8,
"url": "https://www.broadcom.com/"
},
{
"title": "Broadcom WiFi Chipset Drivers Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=91778"
},
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2020/07/15/july_2020_patch_tuesday/"
},
{
"title": "Huawei Security Advisories: Security Advisory - Two Heap Buffer Overflow Vulnerabilities in Broadcom WiFi Chipset Drivers",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=huawei_security_advisories\u0026qid=a3f3540316426ad86e8026fbac500d9a"
},
{
"title": "Awesome CVE PoC",
"trust": 0.1,
"url": "https://github.com/lnick2023/nicenice "
},
{
"title": "Awesome CVE PoC",
"trust": 0.1,
"url": "https://github.com/xbl3/awesome-cve-poc_qazbnm456 "
},
{
"title": "PoC in GitHub",
"trust": 0.1,
"url": "https://github.com/0xt11/cve-poc "
},
{
"title": "PoC in GitHub",
"trust": 0.1,
"url": "https://github.com/developer3000s/poc-in-github "
},
{
"title": "Awesome CVE PoC",
"trust": 0.1,
"url": "https://github.com/qazbnm456/awesome-cve-poc "
},
{
"title": "PoC in GitHub",
"trust": 0.1,
"url": "https://github.com/hectorgie/poc-in-github "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-9501"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-160936"
},
{
"db": "NVD",
"id": "CVE-2019-9501"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.7,
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"trust": 1.8,
"url": "https://kb.cert.org/vuls/id/166939/"
},
{
"trust": 1.7,
"url": "https://www.kb.cert.org/vuls/id/166939/"
},
{
"trust": 0.9,
"url": "http://www.linux.org/"
},
{
"trust": 0.9,
"url": "https://www.synology.com/en-global/security/advisory/synology_sa_19_18"
},
{
"trust": 0.8,
"url": "https://lore.kernel.org/linux-wireless/1550148232-4309-1-git-send-email-arend.vanspriel@broadcom.com"
},
{
"trust": 0.8,
"url": "https://broadcom.com/"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/linus/a4176ec356c73a46c07c181c6d04039fafa34a9f"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff"
},
{
"trust": 0.8,
"url": "https://www.synology.com/security/advisory/synology_sa_19_18"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9500"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9501"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9502"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9503"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu90663693/"
},
{
"trust": 0.8,
"url": "https://lore.kernel.org/linux-wireless/1550148232-4309-1-git-send-email-arend.vanspriel@broadcom.com/"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4176ec356c73a46c07c181c6d04039fafa34a9f"
},
{
"trust": 0.8,
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b5e2423164b3670e8bc9174e4762d297990deff"
},
{
"trust": 0.7,
"url": "https://www.securityfocus.com/bid/108013"
},
{
"trust": 0.6,
"url": "https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190017"
},
{
"trust": 0.6,
"url": "https://source.android.com/security/bulletin/2020-07-01"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9501"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/google-android-pixel-multiple-vulnerabilities-of-july-2020-32744"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2309/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0614"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0215"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0610"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.kb.cert.org/vuls/id/166939"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "VULHUB",
"id": "VHN-160936"
},
{
"db": "VULMON",
"id": "CVE-2019-9501"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#166939"
},
{
"db": "VULHUB",
"id": "VHN-160936"
},
{
"db": "VULMON",
"id": "CVE-2019-9501"
},
{
"db": "BID",
"id": "108013"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-17T00:00:00",
"db": "CERT/CC",
"id": "VU#166939"
},
{
"date": "2020-02-03T00:00:00",
"db": "VULHUB",
"id": "VHN-160936"
},
{
"date": "2020-02-03T00:00:00",
"db": "VULMON",
"id": "CVE-2019-9501"
},
{
"date": "2019-04-17T00:00:00",
"db": "BID",
"id": "108013"
},
{
"date": "2019-04-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"date": "2020-02-03T21:15:11.487000",
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"date": "2019-04-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-04-23T00:00:00",
"db": "CERT/CC",
"id": "VU#166939"
},
{
"date": "2020-02-10T00:00:00",
"db": "VULHUB",
"id": "VHN-160936"
},
{
"date": "2020-02-10T00:00:00",
"db": "VULMON",
"id": "CVE-2019-9501"
},
{
"date": "2019-04-17T00:00:00",
"db": "BID",
"id": "108013"
},
{
"date": "2019-04-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-002702"
},
{
"date": "2020-02-10T14:28:48.773000",
"db": "NVD",
"id": "CVE-2019-9501"
},
{
"date": "2022-03-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote or local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Broadcom WiFi chipset drivers contain multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#166939"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201904-965"
}
],
"trust": 0.6
}
}
var-201703-1161
Vulnerability from variot
Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC SoC chips, when the firmware supports CCKM Fast and Secure Roaming and the feature is enabled in RAM, allows remote attackers to execute arbitrary code via a crafted reassociation response frame with a Cisco IE (156). Broadcom BCM4339 SoC is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to run arbitrary code within the context of the affected application. Failed exploit attempts may result in denial-of-service conditions. BCM4339 6.37.34.40 is vulnerable; other versions may also be vulnerable. Broadcom: Stack buffer overflow when parsing CCKM reassociation response
CVE-2017-6957
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
In order to allow fast roaming between access points in a wireless network, the Broadcom firmware supports Cisco's "CCKM Fast and Secure Roaming" feature, allowing a client to roam to a new AP quickly. Note this is a different implementation to IEEE 802.11r-2008 FT.
When a client decides to roam to a different AP in a CCKM network, they first send a reassociation request to the AP containing a Cisco-specific information element. This AP responds by sending a reassociation response frame also containing a Cisco-specific IE (156). This IE is then parsed by the firmware in order to make sure it is valid, before completing the reassociation process. A packet capture containing this process can be found here: https://mrncciew.files.wordpress.com/2014/09/7921-cckm-roaming-to-lap1.zip
On the BCM4339 SoC with firmware version 6.37.34.40 the reassociation response in handled by ROM function 0x78D04. This function first retrieves the Cisco-specific IE. Then, it proceeds to check that the IE is valid, by calling function 0x794F8. This function performs four validations:
- Bytes [2:4] of the IE match Cisco's OUI (00-40-96)
- Byte 5 of the IE is zero
- (IE[20] | (IE[21] << 8)) + 30 == IE[1] + 2 (where IE[1] is the IE's length field)
- Bytes [6:9] of the IE match bytes [14:17] of the IE in the reassociation request (see packet capture)
If the IE passes the checks described above, the function proceeds to call ROM function 0x79390. This function unpacks data from the IE, and has approximately the following high-level logic:
- void function_79390(void unk, char ie, char* buf) {
- char buffer[128];
- memcpy(buffer, ..., 6); buffer += 6;
- memcpy(buffer, ie + 6, 4); buffer += 4;
- *buffer = ie[10]; buffer += 1;
- *buffer = ie[11]; buffer += 1;
- memcpy(buffer, ie + 12, 8); buffer += 8;
- memcpy(buffer, ie + 20, 2); buffer += 2;
- memcpy(buffer, ie + 30, ie[20] | (ie[21] << 8));
- }
As can be seen above, line 10 performs a memcpy into the stack-allocated buffer ("buffer"), using the value "ie[20] | (ie[21] << 8)" as the length field. However, as we've previously seen, the only validation performed on these two bytes is that:
(ie[20] | (ie[21] << 8)) + 30 == ie[1] + 2
This means an attacker could craft a reassociation response frame containing a Cisco IE (156) as follows:
- IE[2:4] = 0x00 0x40 0x96
- IE[5] = 0
- IE[20] | (IE[21] << 8) = 227
- IE[1] = 255
- IE[6:9] = REQIE[14:17]
This IE satisfies all the constraints validated by function 0x794F8. However, when the IE is the passed into function 0x79390, it will cause memcpy operation at line 10 in the code above to exceed the buffer's bounds, trigger a stack buffer overflow with attacker controlled data. It should be noted that there is no stack cookie mitigation in the BCM4339 firmware, meaning an attacker would not require an additional vulnerability primitive in order to gain code execution using this vulnerability.
I've verified this vulnerability statically on the BCM4339 chip with firmware version 6.37.34.40 (as present on the Nexus 5). However, I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Found by: laginimaineb
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201703-1161",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "bcm4339 soc",
"scope": "eq",
"trust": 1.6,
"vendor": "broadcom",
"version": "6.37.34.40"
},
{
"model": "bcm4339 soc",
"scope": null,
"trust": 0.8,
"vendor": "broadcom",
"version": null
},
{
"model": "bcm4339",
"scope": "eq",
"trust": 0.3,
"vendor": "broadcom",
"version": "6.37.34.40"
}
],
"sources": [
{
"db": "BID",
"id": "97054"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:broadcom:bcm4339_soc_firmware:6.37.34.40:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:broadcom:bcm4339_soc:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2017-6957"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "laginimaineb",
"sources": [
{
"db": "BID",
"id": "97054"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
],
"trust": 0.9
},
"cve": "CVE-2017-6957",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2017-6957",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-115160",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.1,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-6957",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2017-6957",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201703-1167",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-115160",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115160"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC SoC chips, when the firmware supports CCKM Fast and Secure Roaming and the feature is enabled in RAM, allows remote attackers to execute arbitrary code via a crafted reassociation response frame with a Cisco IE (156). Broadcom BCM4339 SoC is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. \nAttackers can exploit this issue to run arbitrary code within the context of the affected application. Failed exploit attempts may result in denial-of-service conditions. \nBCM4339 6.37.34.40 is vulnerable; other versions may also be vulnerable. Broadcom: Stack buffer overflow when parsing CCKM reassociation response \n\nCVE-2017-6957\n\n\nBroadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. \n\nIn order to allow fast roaming between access points in a wireless network, the Broadcom firmware supports Cisco\u0027s \"CCKM Fast and Secure Roaming\" feature, allowing a client to roam to a new AP quickly. Note this is a different implementation to IEEE 802.11r-2008 FT. \n\nWhen a client decides to roam to a different AP in a CCKM network, they first send a reassociation request to the AP containing a Cisco-specific information element. This AP responds by sending a reassociation response frame also containing a Cisco-specific IE (156). This IE is then parsed by the firmware in order to make sure it is valid, before completing the reassociation process. A packet capture containing this process can be found here: \u003ca href=\"https://mrncciew.files.wordpress.com/2014/09/7921-cckm-roaming-to-lap1.zip\" title=\"\" class=\"\" rel=\"nofollow\"\u003ehttps://mrncciew.files.wordpress.com/2014/09/7921-cckm-roaming-to-lap1.zip\u003c/a\u003e\n\nOn the BCM4339 SoC with firmware version 6.37.34.40 the reassociation response in handled by ROM function 0x78D04. This function first retrieves the Cisco-specific IE. Then, it proceeds to check that the IE is valid, by calling function 0x794F8. This function performs four validations:\n\n 1. Bytes [2:4] of the IE match Cisco\u0027s OUI (00-40-96)\n 2. Byte 5 of the IE is zero\n 3. (IE[20] | (IE[21] \u003c\u003c 8)) + 30 == IE[1] + 2 (where IE[1] is the IE\u0027s length field)\n 4. Bytes [6:9] of the IE match bytes [14:17] of the IE in the reassociation request (see packet capture)\n\nIf the IE passes the checks described above, the function proceeds to call ROM function 0x79390. This function unpacks data from the IE, and has approximately the following high-level logic:\n\n1. void function_79390(void* unk, char* ie, char* buf) {\n2. char buffer[128];\n3. memcpy(buffer, ..., 6); buffer += 6;\n4. \n5. memcpy(buffer, ie + 6, 4); buffer += 4;\n6. *buffer = ie[10]; buffer += 1;\n7. *buffer = ie[11]; buffer += 1;\n8. memcpy(buffer, ie + 12, 8); buffer += 8;\n9. memcpy(buffer, ie + 20, 2); buffer += 2;\n10. memcpy(buffer, ie + 30, ie[20] | (ie[21] \u003c\u003c 8));\n11. \n12. }\n\nAs can be seen above, line 10 performs a memcpy into the stack-allocated buffer (\"buffer\"), using the value \"ie[20] | (ie[21] \u003c\u003c 8)\" as the length field. However, as we\u0027ve previously seen, the only validation performed on these two bytes is that:\n\n (ie[20] | (ie[21] \u003c\u003c 8)) + 30 == ie[1] + 2\n\nThis means an attacker could craft a reassociation response frame containing a Cisco IE (156) as follows:\n\n 1. IE[2:4] = 0x00 0x40 0x96\n 2. IE[5] = 0\n 3. IE[20] | (IE[21] \u003c\u003c 8) = 227\n 4. IE[1] = 255\n 5. IE[6:9] = REQIE[14:17]\n\nThis IE satisfies all the constraints validated by function 0x794F8. However, when the IE is the passed into function 0x79390, it will cause memcpy operation at line 10 in the code above to exceed the buffer\u0027s bounds, trigger a stack buffer overflow with attacker controlled data. It should be noted that there is no stack cookie mitigation in the BCM4339 firmware, meaning an attacker would not require an additional vulnerability primitive in order to gain code execution using this vulnerability. \n\nI\u0027ve verified this vulnerability statically on the BCM4339 chip with firmware version 6.37.34.40 (as present on the Nexus 5). However, I believe this vulnerability\u0027s scope includes a wider range of Broadcom SoCs and versions. \n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout a broadly available patch, then the bug report will automatically\nbecome visible to the public. \n\n\n\nFound by: laginimaineb\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"db": "BID",
"id": "97054"
},
{
"db": "VULHUB",
"id": "VHN-115160"
},
{
"db": "PACKETSTORM",
"id": "141803"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-6957",
"trust": 2.9
},
{
"db": "BID",
"id": "97054",
"trust": 2.8
},
{
"db": "PACKETSTORM",
"id": "141803",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201703-1167",
"trust": 0.7
},
{
"db": "SEEBUG",
"id": "SSVID-92838",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-115160",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115160"
},
{
"db": "BID",
"id": "97054"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"db": "PACKETSTORM",
"id": "141803"
},
{
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
]
},
"id": "VAR-201703-1161",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-115160"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:53:04.668000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://jp.broadcom.com/"
},
{
"title": "Issue 1051",
"trust": 0.8,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1051"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115160"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"db": "NVD",
"id": "CVE-2017-6957"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/97054"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/141803/broadcom-stack-buffer-overflow.html"
},
{
"trust": 1.7,
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1051"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-6957"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6957"
},
{
"trust": 0.3,
"url": "http://www.broadcom.com/"
},
{
"trust": 0.1,
"url": "https://mrncciew.files.wordpress.com/2014/09/7921-cckm-roaming-to-lap1.zip\u003c/a\u003e"
},
{
"trust": 0.1,
"url": "https://mrncciew.files.wordpress.com/2014/09/7921-cckm-roaming-to-lap1.zip\""
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-115160"
},
{
"db": "BID",
"id": "97054"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"db": "PACKETSTORM",
"id": "141803"
},
{
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-115160"
},
{
"db": "BID",
"id": "97054"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"db": "PACKETSTORM",
"id": "141803"
},
{
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-03-27T00:00:00",
"db": "VULHUB",
"id": "VHN-115160"
},
{
"date": "2017-03-23T00:00:00",
"db": "BID",
"id": "97054"
},
{
"date": "2017-04-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"date": "2017-03-23T22:22:22",
"db": "PACKETSTORM",
"id": "141803"
},
{
"date": "2017-03-27T14:59:00.227000",
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"date": "2017-03-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-03-31T00:00:00",
"db": "VULHUB",
"id": "VHN-115160"
},
{
"date": "2017-03-29T00:01:00",
"db": "BID",
"id": "97054"
},
{
"date": "2017-04-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-002752"
},
{
"date": "2017-03-31T11:37:23.723000",
"db": "NVD",
"id": "CVE-2017-6957"
},
{
"date": "2017-03-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Broadcom Wi-Fi HardMAC SoC Chip firmware stack-based buffer overflow vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-002752"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201703-1167"
}
],
"trust": 0.6
}
}
Vulnerability from fkie_nvd
Published
2020-02-03 21:15
Modified
2024-11-21 04:51
Severity ?
7.9 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html | Third Party Advisory | |
| cret@cert.org | https://kb.cert.org/vuls/id/166939/ | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kb.cert.org/vuls/id/166939/ | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | router_manager | 1.2 | |
| broadcom | bcm4339_firmware | - | |
| broadcom | bcm4339 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:router_manager:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "85F6D2BF-23EA-4D44-8126-64EA85184D38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:broadcom:bcm4339_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AA080644-56DF-456F-BA3C-DF5C1A4AEE51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:broadcom:bcm4339:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8A42BC9D-B62C-444D-A20B-5D6190797697",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions."
},
{
"lang": "es",
"value": "El controlador Broadcom wl WiFi es vulnerable a un desbordamiento del b\u00fafer de la pila. Si la longitud de los datos del elemento de informaci\u00f3n de proveedor es mayor que 164 bytes, un desbordamiento del b\u00fafer de la pila es desencadenado en la funci\u00f3n wlc_wpa_plumb_gtk. En el peor de los casos, mediante el env\u00edo de paquetes WiFi especialmente dise\u00f1ados, un atacante remoto no autenticado puede ejecutar c\u00f3digo arbitrario en un sistema vulnerable. M\u00e1s com\u00fanmente, esta vulnerabilidad resultar\u00e1 en condiciones de denegaci\u00f3n de servicio."
}
],
"id": "CVE-2019-9502",
"lastModified": "2024-11-21T04:51:44.727",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 6.0,
"source": "cret@cert.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-03T21:15:11.547",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://kb.cert.org/vuls/id/166939/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://kb.cert.org/vuls/id/166939/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-122"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-03 21:15
Modified
2024-11-21 04:51
Severity ?
7.9 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html | Exploit, Third Party Advisory | |
| cret@cert.org | https://kb.cert.org/vuls/id/166939/ | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kb.cert.org/vuls/id/166939/ | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | router_manager | 1.2 | |
| broadcom | bcm4339_firmware | - | |
| broadcom | bcm4339 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:router_manager:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "85F6D2BF-23EA-4D44-8126-64EA85184D38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:broadcom:bcm4339_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AA080644-56DF-456F-BA3C-DF5C1A4AEE51",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:broadcom:bcm4339:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8A42BC9D-B62C-444D-A20B-5D6190797697",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions."
},
{
"lang": "es",
"value": "El controlador Broadcom wl WiFi es vulnerable a un desbordamiento del b\u00fafer de la pila. Al proporcionar un elemento de informaci\u00f3n de proveedor con una longitud de datos mayor de 32 bytes, un desbordamiento del b\u00fafer de la pila es desencadenado en la funci\u00f3n wlc_wpa_sup_eapol. En el peor de los casos, mediante el env\u00edo de paquetes WiFi especialmente dise\u00f1ados, un atacante remoto no autenticado puede ejecutar c\u00f3digo arbitrario en un sistema vulnerable. M\u00e1s com\u00fanmente, esta vulnerabilidad resultar\u00e1 en condiciones de denegaci\u00f3n de servicio."
}
],
"id": "CVE-2019-9501",
"lastModified": "2024-11-21T04:51:44.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 6.0,
"source": "cret@cert.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-03T21:15:11.487",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://kb.cert.org/vuls/id/166939/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://kb.cert.org/vuls/id/166939/"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-122"
}
],
"source": "cret@cert.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2019-9501
Vulnerability from cvelistv5
Published
2020-02-03 21:00
Modified
2024-08-04 21:54
Severity ?
EPSS score ?
Summary
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html | x_refsource_MISC | |
| https://kb.cert.org/vuls/id/166939/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Broadcom | WiFi drivers |
Version: wl |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:54:44.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/166939/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WiFi drivers",
"vendor": "Broadcom",
"versions": [
{
"status": "affected",
"version": "wl"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-03T21:00:19",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.cert.org/vuls/id/166939/"
}
],
"source": {
"advisory": "VU#166939",
"discovery": "UNKNOWN"
},
"title": "Broadcom wl driver is vulnerable to heap buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2019-9501",
"STATE": "PUBLIC",
"TITLE": "Broadcom wl driver is vulnerable to heap buffer overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WiFi drivers",
"version": {
"version_data": [
{
"version_value": "wl"
}
]
}
}
]
},
"vendor_name": "Broadcom"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. By supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-122 Heap-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html",
"refsource": "MISC",
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"name": "https://kb.cert.org/vuls/id/166939/",
"refsource": "MISC",
"url": "https://kb.cert.org/vuls/id/166939/"
}
]
},
"source": {
"advisory": "VU#166939",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2019-9501",
"datePublished": "2020-02-03T21:00:19",
"dateReserved": "2019-03-01T00:00:00",
"dateUpdated": "2024-08-04T21:54:44.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-9502
Vulnerability from cvelistv5
Published
2020-02-03 21:00
Modified
2024-08-04 21:54
Severity ?
EPSS score ?
Summary
The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html | x_refsource_MISC | |
| https://kb.cert.org/vuls/id/166939/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Broadcom | WiFi drivers |
Version: wl |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:54:44.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/166939/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WiFi drivers",
"vendor": "Broadcom",
"versions": [
{
"status": "affected",
"version": "wl"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-03T21:00:20",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kb.cert.org/vuls/id/166939/"
}
],
"source": {
"advisory": "VU#166939",
"discovery": "UNKNOWN"
},
"title": "Broadcom wl driver is vulnerable to heap buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2019-9502",
"STATE": "PUBLIC",
"TITLE": "Broadcom wl driver is vulnerable to heap buffer overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WiFi drivers",
"version": {
"version_data": [
{
"version_value": "wl"
}
]
}
}
]
},
"vendor_name": "Broadcom"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-122 Heap-based Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html",
"refsource": "MISC",
"url": "https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html"
},
{
"name": "https://kb.cert.org/vuls/id/166939/",
"refsource": "MISC",
"url": "https://kb.cert.org/vuls/id/166939/"
}
]
},
"source": {
"advisory": "VU#166939",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2019-9502",
"datePublished": "2020-02-03T21:00:20",
"dateReserved": "2019-03-01T00:00:00",
"dateUpdated": "2024-08-04T21:54:44.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}