CVE-2016-0801
published 2016-02-07CVE-2016-0801: The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute…
PriorityP270critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.37%
98.2th percentile
The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 9.2.1 | — |
| apple | mac_os_x | <= 10.11.3 | — |
| apple | os_x_el_capitan_v10.11.4_and_security_update_2016-002 | — | — |
| apple | tvos | <= 9.1 | — |
| apple | tvos | — | — |
| apple | watchos | <= 2.1 | — |
| apple | watchos | — | — |
| debian | firmware-nonfree | < firmware-nonfree 20180518-1 (bookworm) | firmware-nonfree 20180518-1 (bookworm) |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Wi-Fi traffic for 802.11 Probe Response frames (subtype 0x05) containing oversized WPS device_name fields (>100 characters) in the Vendor Specific IE (OUI: Microsoft / WPS OUI type 0x04). Such frames are the exploit delivery mechanism. ↗
- →The exploit requires the attacking interface to be in monitor mode (IW_MODE_MONITOR) and uses raw AF_PACKET/SOCK_RAW sockets with EtherType 0x0300 to inject crafted 802.11 frames. ↗
- →The exploit targets Android devices running Broadcom Wi-Fi drivers on versions 4.4.4, 5.0, 5.1.1, 6.0, and 6.0.1 — flag unpatched devices in these version ranges as high-risk. ↗
- ·The exploit broadcasts packets to the broadcast MAC (ff:ff:ff:ff:ff:ff), meaning any vulnerable Broadcom Wi-Fi device within radio range — not just a targeted MAC — may be affected. The DESTINATION_MAC in the PoC is configurable. ↗
- ·The attacking interface must be placed in monitor mode for the exploit to work; standard managed-mode interfaces cannot inject the raw 802.11 Probe Response frames required. ↗
- ·The vulnerability is in the Broadcom Wi-Fi kernel driver and is triggered passively — the victim device only needs to be scanning for Wi-Fi networks (receiving Probe Responses), requiring no user interaction. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
squid: Cache poisoning issue in HTTP Request handling
vendor_redhat·2016-05-06·CVSS 5.4
CVE-2016-4553 [MEDIUM] CWE-20 squid: Cache poisoning issue in HTTP Request handling
squid: Cache poisoning issue in HTTP Request handling
client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.
An input validation flaw was found in the way Squid handled intercepted HTTP Request messages. An attacker could use this flaw to bypass the protection against issues related to CVE-2009-0801, and perform cache poisoning attacks on Squid.
Package: squid (Red Hat Enterprise Linux 5) - Not affected
Package: squid (Red Hat Enterprise Linux 6) - Not affected
Android
CVE-2016-0801: Android Security Bulletin 2016-02-01
CVE: CVE-2016-0801
Severity: CRITICAL
Affected AOSP versions: 4
vendor_android·2016-02-01·CVSS 9.8
CVE-2016-0801 [CRITICAL] CVE-2016-0801: Android Security Bulletin 2016-02-01
CVE: CVE-2016-0801
Severity: CRITICAL
Affected AOSP versions: 4
Android Security Bulletin 2016-02-01
CVE: CVE-2016-0801
Severity: CRITICAL
Affected AOSP versions: 4.4.4, 5.0, 5.1.1, 6.0, 6.0.1
Debian
CVE-2016-0801: firmware-nonfree - The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before ...
vendor_debian·2016·CVSS 9.8
CVE-2016-0801 [CRITICAL] CVE-2016-0801: firmware-nonfree - The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before ...
The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.
Scope: local
bookworm: resolved (fixed in 20180518-1)
bullseye: resolved (fixed in 20180518-1)
forky: resolved (fixed in 20180518-1)
sid: resolved (fixed in 20180518-1)
trixie: resolved (fixed in 20180518-1)
Apple
CVE-2016-0801: iOS 9.3
vendor_apple·CVSS 9.8
CVE-2016-0801 [CRITICAL] CVE-2016-0801: iOS 9.3
Apple Security Update: About the security content of iOS 9.3
Product: iOS
Version: 9.3
CVE: CVE-2016-0801
Component: CVE-ID
Apple
CVE-2016-0801: watchOS 2.2
vendor_apple·CVSS 9.8
CVE-2016-0801 [CRITICAL] CVE-2016-0801: watchOS 2.2
Apple Security Update: About the security content of watchOS 2.2
Product: watchOS
Version: 2.2
CVE: CVE-2016-0801
Component: CVE-ID
Apple
CVE-2016-0801: tvOS 9.2
vendor_apple·CVSS 9.8
CVE-2016-0801 [CRITICAL] CVE-2016-0801: tvOS 9.2
Apple Security Update: About the security content of tvOS 9.2
Product: tvOS
Version: 9.2
CVE: CVE-2016-0801
Component: CVE-ID
Apple
CVE-2016-0801: OS X El Capitan v10.11.4 and Security Update 2016-002
vendor_apple·CVSS 9.8
CVE-2016-0801 [CRITICAL] CVE-2016-0801: OS X El Capitan v10.11.4 and Security Update 2016-002
Apple Security Update: About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002
Product: OS X El Capitan v10.11.4 and Security Update 2016-002
CVE: CVE-2016-0801
Component: CVE-ID
GHSA
GHSA-f9jm-8gc5-4v7g: The Broadcom Wi-Fi driver in the kernel in Android 4
ghsa_unreviewed·2022-05-14
CVE-2016-0801 [CRITICAL] CWE-20 GHSA-f9jm-8gc5-4v7g: The Broadcom Wi-Fi driver in the kernel in Android 4
The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.
OSV
CVE-2016-0801: The Broadcom Wi-Fi driver in the kernel in Android 4
osv·2016-02-07·CVSS 9.8
CVE-2016-0801 [CRITICAL] CVE-2016-0801: The Broadcom Wi-Fi driver in the kernel in Android 4
The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets, aka internal bug 25662029.
No detection rules found.
http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlhttp://source.android.com/security/bulletin/2016-02-01.htmlhttp://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txthttp://www.securitytracker.com/id/1035353https://lists.debian.org/debian-lts-announce/2018/11/msg00015.htmlhttps://support.apple.com/HT206166https://support.apple.com/HT206167https://support.apple.com/HT206168https://support.apple.com/HT206169https://www.exploit-db.com/exploits/39801/http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlhttp://source.android.com/security/bulletin/2016-02-01.htmlhttp://www.arubanetworks.com/assets/alert/ARUBA-PSA-2016-004.txthttp://www.securitytracker.com/id/1035353https://lists.debian.org/debian-lts-announce/2018/11/msg00015.htmlhttps://support.apple.com/HT206166https://support.apple.com/HT206167https://support.apple.com/HT206168https://support.apple.com/HT206169https://www.exploit-db.com/exploits/39801/
2016-02-07
Published