CVE-2019-9503
Published: 12 April 2019
The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
From the Ubuntu Security Team
Hugues Anguelkov discovered that the Broadcom Wifi driver in the Linux kernel did not properly prevent remote firmware events from being processed for USB Wifi devices. A physically proximate attacker could use this to send firmware events to the device.
Notes
| Author | Note |
|---|---|
| mdeslaur | this was originally called CVE-2019-8564 by mistake |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
linux Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-50.54)
|
| cosmic |
Released
(4.18.0-20.21)
|
|
| disco |
Released
(5.0.0-15.16)
|
|
| trusty |
Ignored
(was needed ESM criteria)
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.4.0-157.185)
|
|
|
Patches: Introduced by 5b435de0d786869c95d1962121af0d7df2542009 |
||
|
linux-aws Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1039.41)
|
| cosmic |
Released
(4.18.0-1016.18)
|
|
| disco |
Released
(5.0.0-1006.6)
|
|
| trusty |
Ignored
(was needed ESM criteria)
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.4.0-1090.101)
|
|
|
linux-aws-hwe Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.15.0-1039.41~16.04.1)
|
|
|
linux-azure Launchpad, Ubuntu, Debian |
bionic |
Released
(4.18.0-1018.18~18.04.1)
|
| cosmic |
Released
(4.18.0-1018.18)
|
|
| disco |
Released
(5.0.0-1006.6)
|
|
| trusty |
Released
(4.15.0-1045.49~14.04.1)
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.15.0-1045.49)
|
|
|
linux-azure-edge Launchpad, Ubuntu, Debian |
bionic |
Released
(4.18.0-1018.18~18.04.1)
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.15.0-1045.49)
|
|
|
linux-euclid Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Ignored
(was needed ESM criteria)
|
|
|
linux-flo Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Ignored
(abandoned)
|
|
|
linux-gcp Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1032.34)
|
| cosmic |
Released
(4.18.0-1011.12)
|
|
| disco |
Released
(5.0.0-1006.6)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.15.0-1032.34~16.04.1)
|
|
|
linux-gcp-edge Launchpad, Ubuntu, Debian |
bionic |
Released
(4.18.0-1011.12~18.04.1)
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
linux-gke-4.15 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1032.34)
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-gke-5.0 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-1011.11~18.04.1)
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-goldfish Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Ignored
(end of life)
|
|
|
linux-grouper Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-hwe Launchpad, Ubuntu, Debian |
bionic |
Released
(4.18.0-20.21~18.04.1)
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.15.0-50.54~16.04.1)
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(5.0.0-15.16~18.04.1)
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.15.0-50.54~16.04.1)
|
|
|
linux-kvm Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1034.34)
|
| cosmic |
Released
(4.18.0-1012.12)
|
|
| disco |
Released
(5.0.0-1006.6)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.4.0-1052.59)
|
|
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-utopic Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Ignored
(end of life, was ignored)
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-vivid Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Ignored
(end of life, was ignored)
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-wily Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Ignored
(end of life, was ignored)
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Ignored
(was needed ESM criteria)
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-maguro Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-mako Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Ignored
(abandoned)
|
|
|
linux-manta Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Does not exist
|
|
|
linux-oem Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1038.43)
|
| cosmic |
Released
(4.15.0-1038.43)
|
|
| disco |
Released
(4.15.0-1038.43)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Ignored
(end of standard support, was needs-triage)
|
|
|
linux-oracle Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1013.15)
|
| cosmic |
Released
(4.15.0-1013.15)
|
|
| disco |
Released
(4.15.0-1013.15)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.15.0-1013.15~16.04.1)
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1036.38)
|
| cosmic |
Released
(4.18.0-1014.16)
|
|
| disco |
Released
(5.0.0-1008.8)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.4.0-1117.126)
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1053.57)
|
| cosmic |
Does not exist
|
|
| disco |
Released
(5.0.0-1012.12)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(5.1~rc1)
|
|
| xenial |
Released
(4.4.0-1121.127)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.3 |
| Attack vector | Adjacent |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
References
- https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html
- https://ubuntu.com/security/notices/USN-3979-1
- https://ubuntu.com/security/notices/USN-3980-1
- https://ubuntu.com/security/notices/USN-3981-1
- https://ubuntu.com/security/notices/USN-3980-2
- https://ubuntu.com/security/notices/USN-3981-2
- https://ubuntu.com/security/notices/USN-4076-1
- https://ubuntu.com/security/notices/USN-4095-1
- https://www.cve.org/CVERecord?id=CVE-2019-9503
- NVD
- Launchpad
- Debian