Vulnerability Details : CVE-2019-9503
The Broadcom brcmfmac WiFi driver prior to commit a4176ec356c73a46c07c181c6d04039fafa34a9f is vulnerable to a frame validation bypass. If the brcmfmac driver receives a firmware event frame from a remote source, the is_wlc_event_frame function will cause this frame to be discarded and unprocessed. If the driver receives the firmware event frame from the host, the appropriate handler is called. This frame validation can be bypassed if the bus used is USB (for instance by a wifi dongle). This can allow firmware event frames from a remote source to be processed. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
Vulnerability category: Input validationExecute codeDenial of service
Products affected by CVE-2019-9503
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:broadcom:brcmfmac_driver:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9503
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9503
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.9
|
HIGH | AV:A/AC:M/Au:N/C:C/I:C/A:C |
5.5
|
10.0
|
NIST | |
7.9
|
HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
1.2
|
6.0
|
CERT/CC | |
8.3
|
HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
1.6
|
6.0
|
NIST |
CWE ids for CVE-2019-9503
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- cret@cert.org (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-9503
-
https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html
Reverse-engineering Broadcom wireless chipsetsThird Party Advisory
-
https://bugzilla.suse.com/show_bug.cgi?id=1132828
Bug 1132828 – VUL-1: CVE-2019-9503: kernel-source: brcmfmac frame validation bypassIssue Tracking;Third Party Advisory
-
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9503.html
CVE-2019-9503 | UbuntuThird Party Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a4176ec356c73a46c07c181c6d04039fafa34a9f
kernel/git/torvalds/linux.git - Linux kernel source treePatch;Third Party Advisory
-
https://security-tracker.debian.org/tracker/CVE-2019-9503
CVE-2019-9503Third Party Advisory
-
https://kb.cert.org/vuls/id/166939/
VU#166939 - Broadcom WiFi chipset drivers contain multiple vulnerabilitiesThird Party Advisory;US Government Resource
-
https://bugzilla.redhat.com/show_bug.cgi?id=1701842
1701842 – (CVE-2019-9503) CVE-2019-9503 kernel: brcmfmac frame validation bypassIssue Tracking;Third Party Advisory
Jump to