CVE-2017-0561
published 2017-04-07CVE-2017-0561: A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
30.03%
98.0th percentile
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firmware-nonfree | < firmware-nonfree 20180518-1 (bookworm) | firmware-nonfree 20180518-1 (bookworm) |
| android | — | — | |
| google_inc | android | — | — |
| google_inc | android | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized Fast Transition IE (tag 55) in TDLS Teardown frames — a length field of 255 (ft_ie[1] = 0xFF) triggers the heap overflow in wlc_tdls_cal_teardown_mic_chk on BCM firmware. ↗
- →Detect oversized RSN IE (tag 48) in TDLS Setup Confirm (M3) frames — an abnormally large RSN IE length that causes rsn_ie[1] + 2 + (pos - buffer) == 0xFF triggers the heap overflow in wlc_tdls_cal_mic_chk. ↗
- →Monitor for TDLS connections being automatically established without user interaction — BCM firmware accepts all TDLS Setup Requests autonomously, making any peer on the same network a potential attacker. ↗
- →Alert on unexpected Wi-Fi SoC resets (BCM firmware crash/reset) on devices with BCM4339 or BCM4358 chips — heap corruption from the overflow causes the remote BCM SoC to reset. ↗
- →Detect TDLS frames with action code 127 — this non-standard action code is used by the exploit to manipulate heap freelist chunks and ultimately redirect a timer handler for code execution. ↗
- →Flag use of modified wpa_supplicant 2.6 sending crafted TDLS Teardown or Setup Confirm frames — exploitation requires patched wpa_supplicant and Linux kernel (mac80211) to send malformed TDLS frames. ↗
- ·The BCM firmware heap does not implement safe unlinking or heap header cookies, making heap overflows significantly easier to exploit reliably on affected devices. ↗
- ·The BCM firmware heap is zero-initialized; '00 00' is NOP (MOVS R0,R0) in Thumb, which the exploit leverages to safely jump to shellcode placed on the heap. ↗
- ·In the TDLS Setup Confirm overflow (CVE-2017-0561 / issue #1047), the Anonce bytes (FTIE bytes 20–52) are uncontrolled by the attacker since they are chosen by the responder, but Snonce (bytes 52–84) is fully attacker-controlled. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2017-0561: Android Security Bulletin 2017-04-01
CVE: CVE-2017-0561
Severity: CRITICAL
References: A-34199105*
B-RB#110814
vendor_android·2017-04-01·CVSS 9.8
CVE-2017-0561 [CRITICAL] CVE-2017-0561: Android Security Bulletin 2017-04-01
CVE: CVE-2017-0561
Severity: CRITICAL
References: A-34199105*
B-RB#110814
Android Security Bulletin 2017-04-01
CVE: CVE-2017-0561
Severity: CRITICAL
References: A-34199105*
B-RB#110814
Debian
CVE-2017-0561: firmware-nonfree - A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enabl...
vendor_debian·2017·CVSS 9.8
CVE-2017-0561 [CRITICAL] CVE-2017-0561: firmware-nonfree - A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enabl...
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.
Scope: local
bookworm: resolved (fixed in 20180518-1)
bullseye: resolved (fixed in 20180518-1)
forky: resolved (fixed in 20180518-1)
sid: resolved (fixed in 20180518-1)
trixie: resolved (fixed in 20180518-1)
GHSA
GHSA-gwvj-5r5w-vc2g: A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of th
ghsa_unreviewed·2022-05-13
CVE-2017-0561 [CRITICAL] CWE-787 GHSA-gwvj-5r5w-vc2g: A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of th
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.
OSV
CVE-2017-0561: A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of th
osv·2017-04-07·CVSS 9.8
CVE-2017-0561 [CRITICAL] CVE-2017-0561: A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of th
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.
No detection rules found.
Exploit-DB
Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow
exploitdb·2017-04-04
CVE-2017-0561 Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow
Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow
---
Source:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046
https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). TDLS connections allow clients to exchange data between one another without passing it through the AP (thus preventing congestion at the AP).
In order to verify the integrity of TDLS messages, each message exchanged betwe
Exploit-DB
Broadcom Wi-Fi SoC - Heap Overflow 'wlc_tdls_cal_mic_chk' Due to Large RSN IE in TDLS Setup Confirm Frame
exploitdb·2017-04-04
CVE-2017-0561 Broadcom Wi-Fi SoC - Heap Overflow 'wlc_tdls_cal_mic_chk' Due to Large RSN IE in TDLS Setup Confirm Frame
Broadcom Wi-Fi SoC - Heap Overflow 'wlc_tdls_cal_mic_chk' Due to Large RSN IE in TDLS Setup Confirm Frame
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1047
Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.
One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). TDLS connections allow clients to exchange data between one another without passing it through the AP (thus preventing congestion at the AP).
In order to verify the integrity of TDLS messages, each message exchanged between the TDLS peers includes a message integrity
http://www.securityfocus.com/bid/97367http://www.securitytracker.com/id/1038201https://lists.debian.org/debian-lts-announce/2018/11/msg00015.htmlhttps://source.android.com/security/bulletin/2017-04-01https://www.exploit-db.com/exploits/41805/https://www.exploit-db.com/exploits/41806/http://www.securityfocus.com/bid/97367http://www.securitytracker.com/id/1038201https://lists.debian.org/debian-lts-announce/2018/11/msg00015.htmlhttps://source.android.com/security/bulletin/2017-04-01https://www.exploit-db.com/exploits/41805/https://www.exploit-db.com/exploits/41806/
2017-04-07
Published