CVE-2019-9500Heap-based Buffer Overflow in Brcmfmac Wifi Driver

CWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds WriteCWE-358Improperly Implemented Security Check for StandardCWE-300Channel Accessible by Non-EndpointCWE-367Time-of-check Time-of-use (TOCTOU) Race Condition21 documents9 sources
Severity
8.3HIGHNVD
NVD3.1OSV5.6
EPSS
3.3%
top 12.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Linux KernelApple IpadosApple Iphone OS+3 more
Timeline
PublishedJan 16
Latest updateOct 1

Description

The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by send

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 1.6 | Impact: 6.0

Affected Packages8 packages

CVEListV5broadcom/brcmfmac_wifi_drivercommit prior to 1b5e2423164b3670e8bc9174e4762d297990deff
NVDapple/ipados< 13.2
debiandebian/linux< linux 4.19.37-4 (bookworm)
NVDapple/mac_os_x< 10.15.1
NVDapple/iphone_os< 13.2

Patches

Patch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

7
GHSA
GHSA-p2g8-8j8x-3728: An issue was discovered on Broadcom Wi-Fi client devices2022-05-24
GHSA
GHSA-6jhq-h73f-x439: The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow2022-05-24
Kernel
fortify: Detect struct member overflows in memcpy() at compile-time2021-04-20
OSV
CVE-2019-9500: The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow2020-01-16
OSV
linux-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities2019-05-15

📋Vendor Advisories

8
Red Hat
linux-firmware: Transmission of data encrypted with an all-zero session key after disassociation2020-02-05
Ubuntu
Linux kernel (HWE) vulnerabilities2019-05-15
Ubuntu
Linux kernel vulnerabilities2019-05-14
Ubuntu
Linux kernel (HWE) vulnerabilities2019-05-14
Ubuntu
Linux kernel vulnerabilities2019-05-14

📄Research Papers

1
arXiv
Streamlining Attack Tree Generation: A Fragment-Based Approach2023-10-01

💬Community

3
Bugzilla
CVE-2019-15126 linux-firmware: Transmission of data encrypted with an all-zero session key after disassociation2020-02-27
Bugzilla
CVE-2019-9500 kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results [fedora-all]2019-04-18
Bugzilla
CVE-2019-9500 kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results2019-04-18