Lenovo announced that a previously disclosed flaw in Broadcom Inc.'s Wi-Fi controller chips affects its ThinkPad...
product. What is the Broadcom flaw, and how can it be used by attackers?
Broadcom's Wi-Fi controller chips are vulnerable to a critical memory flaw. Attackers can exploit the Broadcom flaw to cause remote chip control or denial-of-service (DoS) attacks in the Lenovo ThinkPad. Gaining access to the memory in the chip is not required, and very little knowledge or skill is necessary to render all the radio resources useless.
The Broadcom flaw allows attackers to create a malformed Radio Resource Management (IEEE 802.11k) Neighbor Report frame that contains measurements of radio resources. Successful exploitation can trigger an internal buffer overflow in the Wi-Fi controller chips, enabling attackers to insert a backdoor into the chip's firmware (CVE-2017-11120). After gaining remote control, attackers can send a series of read/write commands through this backdoor, and then the internal buffer overflow will prevent clients from sending legitimate neighbor reports to each other.
Attackers can also use over-the-air Fast Transition, also known as Fast Roaming/Fast BSS Transition (IEEE 802.11r), frames to cause DoS problems by triggering heap or stack overflows (CVE-2017-11121). This protocol reduces the length of time it takes to re-establish connectivity between a laptop and the Wi-Fi infrastructure, as both the length of time it takes to re-connect to Wi-Fi and the interruptions visible to the human eye would cause the user to be suspicious.
By using heap and stack overflows in memory, the stack can either grow into the heap or overrun it. Some heap chucks are created when certain memory functions are freed after the initialization of the chip's firmware, while other data and patches to the memory can be adversely impacted.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Wireless network security
Related Q&A from Judith Myerson
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Bastille researchers created the SirenJack proof of concept to show how a vulnerability could put San Francisco's emergency warning system at risk. ... Continue Reading
A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.