CVE Vulnerabilities

CVE-2019-9500

Heap-based Buffer Overflow

Published: Jan 16, 2020 | Modified: Nov 21, 2024
CVSS 3.x
8.3
HIGH
Source:
NVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 2.x
7.9 HIGH
AV:A/AC:M/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
6.5 IMPORTANT
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Ubuntu
MEDIUM

The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.

Weakness

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Affected Software

Name Vendor Start Version End Version
Brcmfmac_driver Broadcom - (including) - (including)
Red Hat Enterprise Linux 7 RedHat kernel-rt-0:3.10.0-1062.1.1.rt56.1024.el7 *
Red Hat Enterprise Linux 7 RedHat kernel-0:3.10.0-1062.1.1.el7 *
Red Hat Enterprise Linux 7 RedHat kpatch-patch *
Red Hat Enterprise Linux 7 RedHat kernel-alt-0:4.14.0-115.14.1.el7a *
Red Hat Enterprise Linux 7.6 Extended Update Support RedHat kernel-0:3.10.0-957.41.1.el7 *
Red Hat Enterprise Linux 7.6 Extended Update Support RedHat kpatch-patch *
Red Hat Enterprise Linux 8 RedHat kernel-rt-0:4.18.0-80.11.1.rt9.156.el8_0 *
Red Hat Enterprise Linux 8 RedHat kernel-0:4.18.0-80.11.1.el8_0 *
Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS RedHat kernel-0:3.10.0-957.41.1.el7 *
Linux Ubuntu bionic *
Linux Ubuntu cosmic *
Linux Ubuntu devel *
Linux Ubuntu disco *
Linux Ubuntu upstream *
Linux-aws Ubuntu bionic *
Linux-aws Ubuntu cosmic *
Linux-aws Ubuntu devel *
Linux-aws Ubuntu disco *
Linux-aws Ubuntu upstream *
Linux-aws-hwe Ubuntu upstream *
Linux-aws-hwe Ubuntu xenial *
Linux-azure Ubuntu bionic *
Linux-azure Ubuntu cosmic *
Linux-azure Ubuntu devel *
Linux-azure Ubuntu disco *
Linux-azure Ubuntu trusty *
Linux-azure Ubuntu upstream *
Linux-azure Ubuntu xenial *
Linux-azure-edge Ubuntu bionic *
Linux-azure-edge Ubuntu upstream *
Linux-azure-edge Ubuntu xenial *
Linux-euclid Ubuntu upstream *
Linux-flo Ubuntu esm-apps/xenial *
Linux-flo Ubuntu trusty *
Linux-flo Ubuntu upstream *
Linux-flo Ubuntu xenial *
Linux-gcp Ubuntu bionic *
Linux-gcp Ubuntu cosmic *
Linux-gcp Ubuntu devel *
Linux-gcp Ubuntu disco *
Linux-gcp Ubuntu upstream *
Linux-gcp Ubuntu xenial *
Linux-gcp-edge Ubuntu bionic *
Linux-gcp-edge Ubuntu upstream *
Linux-gke Ubuntu upstream *
Linux-gke Ubuntu xenial *
Linux-gke-4.15 Ubuntu bionic *
Linux-gke-4.15 Ubuntu upstream *
Linux-gke-5.0 Ubuntu upstream *
Linux-goldfish Ubuntu esm-apps/xenial *
Linux-goldfish Ubuntu trusty *
Linux-goldfish Ubuntu upstream *
Linux-goldfish Ubuntu xenial *
Linux-grouper Ubuntu trusty *
Linux-grouper Ubuntu upstream *
Linux-hwe Ubuntu bionic *
Linux-hwe Ubuntu upstream *
Linux-hwe Ubuntu xenial *
Linux-hwe-edge Ubuntu upstream *
Linux-hwe-edge Ubuntu xenial *
Linux-kvm Ubuntu bionic *
Linux-kvm Ubuntu cosmic *
Linux-kvm Ubuntu devel *
Linux-kvm Ubuntu disco *
Linux-kvm Ubuntu upstream *
Linux-lts-trusty Ubuntu upstream *
Linux-lts-utopic Ubuntu trusty *
Linux-lts-utopic Ubuntu trusty/esm *
Linux-lts-utopic Ubuntu upstream *
Linux-lts-vivid Ubuntu trusty *
Linux-lts-vivid Ubuntu trusty/esm *
Linux-lts-vivid Ubuntu upstream *
Linux-lts-wily Ubuntu trusty *
Linux-lts-wily Ubuntu trusty/esm *
Linux-lts-wily Ubuntu upstream *
Linux-lts-xenial Ubuntu upstream *
Linux-maguro Ubuntu trusty *
Linux-maguro Ubuntu upstream *
Linux-mako Ubuntu esm-apps/xenial *
Linux-mako Ubuntu trusty *
Linux-mako Ubuntu upstream *
Linux-mako Ubuntu xenial *
Linux-manta Ubuntu trusty *
Linux-manta Ubuntu upstream *
Linux-oem Ubuntu bionic *
Linux-oem Ubuntu cosmic *
Linux-oem Ubuntu devel *
Linux-oem Ubuntu disco *
Linux-oem Ubuntu upstream *
Linux-oem Ubuntu xenial *
Linux-oracle Ubuntu bionic *
Linux-oracle Ubuntu cosmic *
Linux-oracle Ubuntu devel *
Linux-oracle Ubuntu disco *
Linux-oracle Ubuntu upstream *
Linux-oracle Ubuntu xenial *
Linux-raspi2 Ubuntu bionic *
Linux-raspi2 Ubuntu cosmic *
Linux-raspi2 Ubuntu devel *
Linux-raspi2 Ubuntu disco *
Linux-raspi2 Ubuntu upstream *
Linux-snapdragon Ubuntu devel *
Linux-snapdragon Ubuntu disco *
Linux-snapdragon Ubuntu upstream *

Potential Mitigations

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
  • Run or compile the software using features or extensions that randomly arrange the positions of a program’s executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as “rebasing” (for Windows) and “prelinking” (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

References