CVE-2019-9503

Published: Jan 16, 2020Modified: Nov 21, 2024

8.3

Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 6.0

Source: NVD

Description

The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.

Affected (3)

Products: Broadcom: Brcmfmac Driver · Redhat: Enterprise Linux

1 product

Brcmfmac Driver

1 product

Enterprise Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Broadcom Brcmfmac Driver	All versions

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (14)

https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html

Source: cret@cert.org

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1701842

Source: cret@cert.org

Issue TrackingThird Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1132828

Source: cret@cert.org

Issue TrackingThird Party Advisory

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4176ec356c73a46c07c181c6d04039fafa34a9f

Source: cret@cert.org

PatchThird Party Advisory

https://kb.cert.org/vuls/id/166939/

Source: cret@cert.org

Third Party AdvisoryUS Government Resource

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9503.html

Source: cret@cert.org

Third Party Advisory

https://security-tracker.debian.org/tracker/CVE-2019-9503

Source: cret@cert.org

Third Party Advisory

https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1701842

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1132828

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4176ec356c73a46c07c181c6d04039fafa34a9f

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://kb.cert.org/vuls/id/166939/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9503.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security-tracker.debian.org/tracker/CVE-2019-9503

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.