var-201710-1086
Vulnerability from variot

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement offloading. Broadcom BCM4355C0 Wi-Fi chips is a Wi-Fi chip of Broadcom (Broadcom). Wi-Fi firmware is the firmware used in it. There is a security vulnerability in version 9.44.78.27.0.1.56 of the Broadcom BCM4355C0 Wi-Fi chip. The vulnerability is caused by the insufficient calculation length of the program. An attacker could exploit this vulnerability to obtain information. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS.

In order to reduce overhead on the host, some Broadcom Wi-Fi chips support offloading of certain ICMPv6 packets, including Router Advertisements, Neighbor Advertisements and Neighbor Solicitations.

On the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56, the ICMPv6 offloading is performed by ROM function 0x39AF8. This function first inspects the ethertype and ensures that it is an IPv6 packet. Then, it reads the protocol number in the "Next Header" field to verify that this is indeed an ICMPv6 packet (IPv6_ICMP). Lastly, the function reads the ICMPv6 "Type" field, and dispatches the packet to the appropriate handler.

In the case of "Router Advertisment" packets (type 134), ROM function 0x399A0 is called to handle the packet. The function has the following approximate high-level logic:

int function_0x399A0(void ctx, char ipv6_header, ...) { ...

//Reading some IPv6 fields uint16_t payload_length = ntohs(((uint16_t)(ipv6_header + 4))); uint16_t router_lifetime = ntohs(((uint16_t)(ipv6_header + 46)));

//Searching for a matching RA struct ra_context_t ra_array = (struct ra_context_t)(((uint32_t)ctx + 151)); for (int i=0; i<10; i++) { struct ra_context_t* ra = &(ra_array[i]);

if (memcmp(ra->src_addr, ipv6_header + 8, 0x10))
  continue;

if (ra->payload_length != payload_length)
  continue;

if (memcmp(ra->data, ipv6_header + 40, payload_length))
  continue;

if (1000 * router_lifetime <= 180000)
  continue;

if (firmware_timestamp() >= ra->timestamp + 60000)
  continue;

//Found a match!
return 2; //Indicates that the packet is filtered and not passed
          //on to the OS

}

//Find the entry to overwrite uint8_t insertion_idx_ptr = (uint8_t)((void)ra_array + 322); if (insertion_idx_ptr > 9) insertion_idx_ptr = 0; struct ra_context_t ra = &(ra_array[*insertion_idx_ptr]);

//Populate the entry ra->payload_length = payload_length; ra->timestamp = firmware_timestamp(); memcpy(ra->src_addr, ipv6_header + 8, 0x10); char* new_ra_data = malloc(payload_length); memcpy(new_ra_data, ipv6_header + 40, payload_length); if (ra->ra_data) free(ra->ra_data); ra->ra_data = new_ra_data;

(*insertion_idx_ptr)++;

return 0; //Pass the packet on to the OS }

Where "ra_context_t" has the following structure:

struct ra_context_t { char* ra_data; uint32_t payload_length; uint32_t unused; char src_addr[0x10]; uint32_t timestamp; };

As we can see above, the function fails to validate that the IPv6 "Payload Length" field does not exceed the length of the packet. As a result, if the incoming RA fails to match any of the 10 cached RAs, a new entry will be saved, triggering a copy of packet's content into a newly allocated buffer, using the attacker-controlled "payload length" field (thereby triggering an OOB read).

An attacker can use this as an oracle to leak data from the firmware. First, the attacker can send an RA with a payload length field that exceeds the real packet length by a single byte. Then, the attacker may send additional RAs in which the payload length field does indeed match the length of the packet's payload, and is also the same value as the one sent previously. By doing so, the attacker can modify the last byte of the sent RA, iterating over at-most 10 different values. If the attacker guesses the last byte (which was read OOB) correctly, the packet will be filtered. Otherwise, the packet will be forwarded to the host.

In order to distinguish between these two cases, an attacker can craft the ICMPv6 packet so that a "regular" host will send back an ICMPv6 error message. For example, by setting the TTL field to zero, the host would generate a ICMPv6 "Time Exceeded" error message.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.

Found by: laginimaineb

Show details on source website


{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "tvos",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apple",
        "version": "10.2.2"
      },
      {
        "_id": null,
        "model": "bcm4355c0",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "broadcom",
        "version": "9.44.78.27.0.1.56"
      },
      {
        "_id": null,
        "model": "iphone os",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apple",
        "version": "10.3.3"
      },
      {
        "_id": null,
        "model": "bcm4355c0",
        "scope": null,
        "trust": 0.8,
        "vendor": "broadcom",
        "version": null
      },
      {
        "_id": null,
        "model": "ios",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "apple",
        "version": "11   (ipad air or later )"
      },
      {
        "_id": null,
        "model": "ios",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "apple",
        "version": "11   (iphone 5s or later )"
      },
      {
        "_id": null,
        "model": "ios",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "apple",
        "version": "11   (ipod touch first  6 generation )"
      },
      {
        "_id": null,
        "model": "tvos",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "apple",
        "version": "11   (apple tv first  4 generation )"
      },
      {
        "_id": null,
        "model": "tv",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "apple",
        "version": "10.2.2"
      },
      {
        "_id": null,
        "model": "iphone os",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "apple",
        "version": "10.3.3"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-11122"
      }
    ]
  },
  "configurations": {
    "_id": null,
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:broadcom:bcm4355c0_firmware",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:apple:iphone_os",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/o:apple:apple_tv",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "Google Security Research, laginimaineb",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "144461"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2017-11122",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2017-11122",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-101513",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2017-11122",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2017-11122",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2017-11122",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201707-295",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-101513",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-101513"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-11122"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement offloading. Broadcom BCM4355C0 Wi-Fi chips is a Wi-Fi chip of Broadcom (Broadcom). Wi-Fi firmware is the firmware used in it. There is a security vulnerability in version 9.44.78.27.0.1.56 of the Broadcom BCM4355C0 Wi-Fi chip. The vulnerability is caused by the insufficient calculation length of the program. An attacker could exploit this vulnerability to obtain information. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. \n\nIn order to reduce overhead on the host, some Broadcom Wi-Fi chips support offloading of certain ICMPv6 packets, including Router Advertisements, Neighbor Advertisements and Neighbor Solicitations. \n\nOn the BCM4355C0 SoC with firmware version 9.44.78.27.0.1.56, the ICMPv6 offloading is performed by ROM function 0x39AF8. This function first inspects the ethertype and ensures that it is an IPv6 packet. Then, it reads the protocol number in the \"Next Header\" field to verify that this is indeed an ICMPv6 packet (IPv6_ICMP). Lastly, the function reads the ICMPv6 \"Type\" field, and dispatches the packet to the appropriate handler. \n\nIn the case of \"Router Advertisment\" packets (type 134), ROM function 0x399A0 is called to handle the packet. The function has the following approximate high-level logic:\n\nint function_0x399A0(void* ctx, char* ipv6_header, ...) {\n  ... \n\n  //Reading some IPv6 fields\n  uint16_t payload_length  = ntohs(*((uint16_t*)(ipv6_header + 4)));\n  uint16_t router_lifetime = ntohs(*((uint16_t*)(ipv6_header + 46)));\n\n  //Searching for a matching RA\n  struct ra_context_t* ra_array = (struct ra_context_t*)(*((uint32_t*)ctx + 151));\n  for (int i=0; i\u003c10; i++) {\n    struct ra_context_t* ra = \u0026(ra_array[i]);\n    \n    if (memcmp(ra-\u003esrc_addr, ipv6_header + 8, 0x10))\n      continue;\n    \n    if (ra-\u003epayload_length != payload_length)\n      continue;\n\n    if (memcmp(ra-\u003edata, ipv6_header + 40, payload_length))\n      continue;\n\n    if (1000 * router_lifetime \u003c= 180000)\n      continue;\n\n    if (firmware_timestamp() \u003e= ra-\u003etimestamp + 60000)\n      continue;\n\n    //Found a match!\n    return 2; //Indicates that the packet is filtered and not passed\n              //on to the OS \n\n\n  }\n\n  //Find the entry to overwrite\n  uint8_t* insertion_idx_ptr = (uint8_t*)((void*)ra_array + 322);\n  if (*insertion_idx_ptr \u003e 9)\n    *insertion_idx_ptr = 0;\n  struct ra_context_t* ra = \u0026(ra_array[*insertion_idx_ptr]);\n\n  //Populate the entry\n  ra-\u003epayload_length = payload_length;\n  ra-\u003etimestamp = firmware_timestamp();\n  memcpy(ra-\u003esrc_addr, ipv6_header + 8, 0x10);\n  char* new_ra_data = malloc(payload_length);\n  memcpy(new_ra_data, ipv6_header + 40, payload_length);\n  if (ra-\u003era_data)\n    free(ra-\u003era_data);\n  ra-\u003era_data = new_ra_data;\n\n  (*insertion_idx_ptr)++;\n\n  return 0; //Pass the packet on to the OS\n}\n\nWhere \"ra_context_t\" has the following structure:\n\nstruct ra_context_t {\n    char* ra_data;\n    uint32_t payload_length;\n    uint32_t unused;\n    char src_addr[0x10];\n    uint32_t timestamp;\n};\n\nAs we can see above, the function fails to validate that the IPv6 \"Payload Length\" field does not exceed the length of the packet. As a result, if the incoming RA fails to match any of the 10 cached RAs, a new entry will be saved, triggering a copy of packet\u0027s content into a newly allocated buffer, using the attacker-controlled \"payload length\" field (thereby triggering an OOB read). \n\nAn attacker can use this as an oracle to leak data from the firmware. First, the attacker can send an RA with a payload length field that exceeds the real packet length by a single byte. Then, the attacker may send additional RAs in which the payload length field does indeed match the length of the packet\u0027s payload, and is also the same value as the one sent previously. By doing so, the attacker can modify the last byte of the sent RA, iterating over at-most 10 different values. If the attacker guesses the last byte (which was read OOB) correctly, the packet will be filtered. Otherwise, the packet will be forwarded to the host. \n\nIn order to distinguish between these two cases, an attacker can craft the ICMPv6 packet so that a \"regular\" host will send back an ICMPv6 error message. For example, by setting the TTL field to zero, the host would generate a ICMPv6 \"Time Exceeded\" error message. \n\nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse\nor a patch has been made broadly available, the bug report will become\nvisible to the public. \n\n\n\n\nFound by: laginimaineb\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-11122"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      },
      {
        "db": "VULHUB",
        "id": "VHN-101513"
      },
      {
        "db": "PACKETSTORM",
        "id": "144461"
      }
    ],
    "trust": 1.8
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-11122",
        "trust": 2.6
      },
      {
        "db": "PACKETSTORM",
        "id": "144461",
        "trust": 1.8
      },
      {
        "db": "JVN",
        "id": "JVNVU99806334",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295",
        "trust": 0.7
      },
      {
        "db": "VULHUB",
        "id": "VHN-101513",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-101513"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      },
      {
        "db": "PACKETSTORM",
        "id": "144461"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-11122"
      }
    ]
  },
  "id": "VAR-201710-1086",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-101513"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-23T19:27:47.221000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "HT208112",
        "trust": 0.8,
        "url": "https://support.apple.com/en-us/HT208112"
      },
      {
        "title": "HT208113",
        "trust": 0.8,
        "url": "https://support.apple.com/en-us/HT208113"
      },
      {
        "title": "HT208112",
        "trust": 0.8,
        "url": "https://support.apple.com/ja-jp/HT208112"
      },
      {
        "title": "HT208113",
        "trust": 0.8,
        "url": "https://support.apple.com/ja-jp/HT208113"
      },
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "https://www.broadcom.com/"
      },
      {
        "title": "Broadcom BCM4355C0 Wi-Fi Fixes for chip security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90654"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-200",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-101513"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-11122"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 1.7,
        "url": "https://support.apple.com/ht208112"
      },
      {
        "trust": 1.7,
        "url": "https://support.apple.com/ht208113"
      },
      {
        "trust": 1.7,
        "url": "https://support.apple.com/en-us/ht208112"
      },
      {
        "trust": 1.7,
        "url": "https://support.apple.com/en-us/ht208113"
      },
      {
        "trust": 1.7,
        "url": "http://packetstormsecurity.com/files/144461/broadcom-icmpv6-information-leak.html"
      },
      {
        "trust": 1.7,
        "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1300"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-11122"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11122"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/vu/jvnvu99806334/index.html"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-101513"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      },
      {
        "db": "PACKETSTORM",
        "id": "144461"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-11122"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-101513",
        "ident": null
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "144461",
        "ident": null
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2017-11122",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2017-10-04T00:00:00",
        "db": "VULHUB",
        "id": "VHN-101513",
        "ident": null
      },
      {
        "date": "2017-11-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-009425",
        "ident": null
      },
      {
        "date": "2017-10-02T01:11:11",
        "db": "PACKETSTORM",
        "id": "144461",
        "ident": null
      },
      {
        "date": "2017-07-10T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201707-295",
        "ident": null
      },
      {
        "date": "2017-10-04T01:29:02.010000",
        "db": "NVD",
        "id": "CVE-2017-11122",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2019-03-08T00:00:00",
        "db": "VULHUB",
        "id": "VHN-101513",
        "ident": null
      },
      {
        "date": "2017-11-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-009425",
        "ident": null
      },
      {
        "date": "2019-03-13T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201707-295",
        "ident": null
      },
      {
        "date": "2024-11-21T03:07:08.997000",
        "db": "NVD",
        "id": "CVE-2017-11122",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "_id": null,
    "data": "Broadcom BCM4355C0 of  Wi-Fi Vulnerability that triggers information disclosure on chip",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-009425"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "_id": null,
    "data": "information disclosure",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201707-295"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.