CVE-2017-11120
published 2017-09-28CVE-2017-11120: On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.13%
94.7th percentile
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 11.0 | 11.0 |
| apple | tvos | < 11.0 | 11.0 |
| apple | tvos | — | — |
| broadcom | bcm4355c0_firmware | — | — |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect malformed 802.11k RRM Neighbor Report Response frames sent over-the-air; the vulnerability is triggered by a crafted RRM neighbor report frame causing an internal buffer overflow in Broadcom Wi-Fi firmware. ↗
- →Monitor for post-exploitation use of crafted 802.11 action frames used to issue remote read/write commands to a backdoored Broadcom Wi-Fi firmware; the backdoor communicates via crafted action frames. ↗
- →Flag wireless clients associating to a rogue AP broadcasting SSID 'test80211k', which is the network name used by the public proof-of-concept exploit. ↗
- →Presence of exploit tooling files (attack.py, assemble_backdoor.sh, conf.py, symbols.py) on a host may indicate preparation or execution of the CVE-2017-11120 exploit chain. ↗
- →The exploit targets Broadcom BCM4355C0 Wi-Fi chips running firmware version 9.44.78.27.0.1.56; inventory and monitor devices with this chipset/firmware combination as high-priority targets. ↗
- →The exploit was validated against iOS 10.2 (14C92) through iOS 10.3.3; unpatched devices in this range are confirmed vulnerable. iOS 11 and tvOS 11 contain the fix. ↗
- ·The public PoC exploit requires a SoftMAC Wi-Fi dongle (e.g., TL-WN722N) acting as a rogue AP and a modified hostapd-2.6 with 802.11k RRM/Neighbor Report support and action-frame injection capability; standard hostapd will not work. ↗
- ·Symbol offsets in the exploit must be adjusted per iOS version; the provided symbols.py targets iOS 10.2 (14C92) and may not work as-is against other builds. ↗
- ·The attacker must be within Wi-Fi radio range of the target device; this is a proximity-based (RF range) attack with no Internet-based exploitation path. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2017-11120: iOS 11
vendor_apple·2017-09-19·CVSS 9.8
CVE-2017-11120 [CRITICAL] CVE-2017-11120: iOS 11
Apple Security Update: About the security content of iOS 11
Product: iOS
Version: 11
CVE: CVE-2017-11120
Component: Wi-Fi
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
Apple
CVE-2017-11120: tvOS 11
vendor_apple·2017-09-19·CVSS 9.8
CVE-2017-11120 [CRITICAL] CVE-2017-11120: tvOS 11
Apple Security Update: About the security content of tvOS 11
Product: tvOS
Version: 11
CVE: CVE-2017-11120
Component: Wi-Fi
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
Android
CVE-2017-11120: Wi-Fi driver
vendor_android·2017-09-01·CVSS 9.8
CVE-2017-11120 [CRITICAL] CVE-2017-11120: Wi-Fi driver
Android Security Bulletin 2017-09-01
CVE: CVE-2017-11120
Severity: CRITICAL
Type: RCE
Component: Wi-Fi driver
References: A-62575409*
B-V2017061204
GHSA
GHSA-g3j7-grgr-pgxq: On Broadcom BCM4355C0 Wi-Fi chips 9
ghsa_unreviewed·2022-05-14
CVE-2017-11120 [CRITICAL] CWE-119 GHSA-g3j7-grgr-pgxq: On Broadcom BCM4355C0 Wi-Fi chips 9
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/144328/Broadcom-802.11k-Neighbor-Report-Response-Out-Of-Bounds-Write.htmlhttp://www.securityfocus.com/bid/100984https://bugs.chromium.org/p/project-zero/issues/detail?id=1289https://lists.apple.com/archives/security-announce/2017/Sep/msg00007.htmlhttps://lists.apple.com/archives/security-announce/2017/Sep/msg00009.htmlhttps://source.android.com/security/bulletin/2017-09-01https://support.apple.com/HT208112https://support.apple.com/HT208113https://support.apple.com/en-us/HT208112https://support.apple.com/en-us/HT208113https://www.exploit-db.com/exploits/42784/http://packetstormsecurity.com/files/144328/Broadcom-802.11k-Neighbor-Report-Response-Out-Of-Bounds-Write.htmlhttp://www.securityfocus.com/bid/100984https://bugs.chromium.org/p/project-zero/issues/detail?id=1289https://lists.apple.com/archives/security-announce/2017/Sep/msg00007.htmlhttps://lists.apple.com/archives/security-announce/2017/Sep/msg00009.htmlhttps://source.android.com/security/bulletin/2017-09-01https://support.apple.com/HT208112https://support.apple.com/HT208113https://support.apple.com/en-us/HT208112https://support.apple.com/en-us/HT208113https://www.exploit-db.com/exploits/42784/
2017-09-28
Published