CVE-2019-9503: Broadcom brcmfmac driver is vulnerable to a frame validation bypass
First published: Tue Feb 19 2019(Updated: )
If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and not be processed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a WiFi dongle). This can allow firmware event frames from a remote source to be processed and this can result in denial of service (DoS) condition.
Credit: cret@cert.org cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1127.rt56.1093.el7 | 0:3.10.0-1127.rt56.1093.el7 |
| redhat/kernel | <0:3.10.0-1127.el7 | 0:3.10.0-1127.el7 |
| redhat/kernel | <0:3.10.0-1062.26.1.el7 | 0:3.10.0-1062.26.1.el7 |
| redhat/kernel-rt | <0:4.18.0-80.11.1.rt9.156.el8_0 | 0:4.18.0-80.11.1.rt9.156.el8_0 |
| redhat/kernel | <0:4.18.0-80.11.1.el8_0 | 0:4.18.0-80.11.1.el8_0 |
| Broadcom brcmfmac driver | ||
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| IBM Data Risk Manager | <=2.0.6 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.5-1 6.11.7-1 |
Remedy
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4176ec356c73a46c07c181c6d04039fafa34a9f
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-9503 https://nvd.nist.gov/vuln/detail/CVE-2019-9503 https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html#cve-2019-9503-remotely-sending-firmware-events-bypassing-is-wlc-event-frame https://kb.cert.org/vuls/id/166939/ https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/
- https://bugzilla.redhat.com/show_bug.cgi?id=1701842
- https://access.redhat.com/errata/RHSA-2020:1070
- https://access.redhat.com/errata/RHSA-2020:1016
- https://access.redhat.com/errata/RHSA-2020:2522
- https://access.redhat.com/errata/RHSA-2019:2741
- https://access.redhat.com/errata/RHSA-2019:2703
- https://access.redhat.com/security/cve/CVE-2019-9503
- https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html
- https://bugzilla.suse.com/show_bug.cgi?id=1132828
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4176ec356c73a46c07c181c6d04039fafa34a9f
- https://kb.cert.org/vuls/id/166939/
- https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9503.html
- https://security-tracker.debian.org/tracker/CVE-2019-9503
- https://launchpad.net/bugs/cve/CVE-2019-9503
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=5b435de0d786869c95d1962121af0d7df2542009
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a4176ec356c73a46c07c181c6d04039fafa34a9f
- https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html#cve-2019-9503-remotely-sending-firmware-events-bypassing-is-wlc-event-frame
- https://www.bleepingcomputer.com/news/security/broadcom-wifi-driver-flaws-expose-computers-phones-iot-to-rce-attacks/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1701843
- https://access.redhat.com/security/cve/CVE-2019-8564
- https://access.redhat.com/security/cve/cve-2019-9503
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159643
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://git.kernel.org/linus/a4176ec356c73a46c07c181c6d04039fafa34a9f
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9503
- https://nvd.nist.gov/vuln/detail/CVE-2019-9503
- https://ubuntu.com/security/CVE-2019-9503
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-9503
- agent/weakness
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2019-8564
- alias/CVE-2019-9500
- alias/CVE-2019-9501
- alias/CVE-2019-9502
- agent/news-ai
- agent/references
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/remedy
- agent/last-modified-date
- agent/event
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/broadcom
- canonical/broadcom brcmfmac driver
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- package-manager/debian