Lenovo announced that a previously disclosed flaw in Broadcom Inc.'s Wi-Fi controller chips affects its ThinkPad...
product. What is the Broadcom flaw, and how can it be used by attackers?
Broadcom's Wi-Fi controller chips are vulnerable to a critical memory flaw. Attackers can exploit the Broadcom flaw to cause remote chip control or denial-of-service (DoS) attacks in the Lenovo ThinkPad. Gaining access to the memory in the chip is not required, and very little knowledge or skill is necessary to render all the radio resources useless.
The Broadcom flaw allows attackers to create a malformed Radio Resource Management (IEEE 802.11k) Neighbor Report frame that contains measurements of radio resources. Successful exploitation can trigger an internal buffer overflow in the Wi-Fi controller chips, enabling attackers to insert a backdoor into the chip's firmware (CVE-2017-11120). After gaining remote control, attackers can send a series of read/write commands through this backdoor, and then the internal buffer overflow will prevent clients from sending legitimate neighbor reports to each other.
Attackers can also use over-the-air Fast Transition, also known as Fast Roaming/Fast BSS Transition (IEEE 802.11r), frames to cause DoS problems by triggering heap or stack overflows (CVE-2017-11121). This protocol reduces the length of time it takes to re-establish connectivity between a laptop and the Wi-Fi infrastructure, as both the length of time it takes to re-connect to Wi-Fi and the interruptions visible to the human eye would cause the user to be suspicious.
By using heap and stack overflows in memory, the stack can either grow into the heap or overrun it. Some heap chucks are created when certain memory functions are freed after the initialization of the chip's firmware, while other data and patches to the memory can be adversely impacted.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Wireless network security
Related Q&A from Judith Myerson
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.