CVE-2019-9502Heap-based Buffer Overflow in Wifi Drivers

CWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds WriteCWE-358Improperly Implemented Security Check for StandardCWE-300Channel Accessible by Non-Endpoint8 documents8 sources
Severity
8.8HIGHNVD
CNA7.9
EPSS
1.4%
top 19.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Broadcom Wifi DriversSynology Router Manager
Timeline
PublishedFeb 3
Latest updateMay 24

Description

The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow. If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5broadcom/wifi_driverswl

🔴Vulnerability Details

3
GHSA
GHSA-4rfg-8q34-prmp: The Broadcom wl WiFi driver is vulnerable to a heap buffer overflow2022-05-24
OSV
CVE-2019-9502: In driver/firmware of broadcom wifi chipset, there is a possible out of bounds write due to a missing bounds check2020-07-01
CVEList
Broadcom wl driver is vulnerable to heap buffer overflow2020-02-03

💥Exploits & PoCs

1
Exploit-DB
Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal2019-04-19

📋Vendor Advisories

2
Android
CVE-2019-9502: Broadcom Firmware2020-07-01
Red Hat
linux-firmware: Transmission of data encrypted with an all-zero session key after disassociation2020-02-05

💬Community

1
Bugzilla
CVE-2019-15126 linux-firmware: Transmission of data encrypted with an all-zero session key after disassociation2020-02-27
CVE-2019-9502 — Heap-based Buffer Overflow | cvebase