BroadPwn — The “about time” patch
Quick Timeline Overview
BroadPwn is a vulnerability found recently within the Broadcom Wi-Fi chipset by the Exodus Intelligence team. This vulnerability was assigned CVE-2017–9417 and was rated a critical severity vulnerability, based on its CVSSv3.0 score of 9.8/10.
This vulnerability was publicly disclosed on the 4th of June 2017 via the National Vulnerability Database, and affects all chips within Broadcom’s BCM43xx family.
Android released a patch for this vulnerability in their July security patches, after which Apple released a patch in exactly 2 weeks. (Yes, it took a month and a half for vendors to fix it! For a critical issue, that’s quite a lot of time).
This vulnerability has affected some of the biggest names in the business, including:
Apple
- iPhone 5 and later,
- Fourth-gen iPads and later,
- Sixth-gen iPod touchs and later,
- Macs 2010 and later, etc.,
Samsung, HTC, LG, Dell, and many more.
To find whether your device is vulnerable, please refer to the following links:
Please note that the adapter may be vulnerable to this bug if it is a part of the BCM43xx family.
Possible Attack Scenarios and Likely Threat Vectors
BroadPwn is a vulnerability within the Wi-Fi packet parsing software of the Broadcom Wi-Fi chips. This implies any packet being parsed by the vulnerable Wi-Fi adapter could allow an attacker to arbitrarily run unauthorised commands on the affected system.
This attack vector could be quite easily exploited by someone on the same network as the vulnerable device, or an external attacker who has obtained persistence in the network.
The attacker could send a packet over the network with the payload, causing the vulnerability to trigger. This process flow can be seen in the image below:
This issue will also affect anyone who has not patched the vulnerability, using the Broadcom Wi-Fi chip.
Because smartphones broadcast a signal when trying to find different wireless access points within their range, devices could easily get affected anywhere Wi-Fi Access Points are available, including open access points such as those found in hotels, cafes, etc.
Security Researcher Zhuowei Zhang used this to send a similar malicious payload whenever the victim comes within the range of the attacker’s set up wireless access point. At this current point in time, his publicly available code can crash the wireless adapter software. This implies that the user does not need any interaction to get affected by this vulnerability. Provided the wireless adapter is vulnerable, simply walking within the range of the wireless access point is enough to get affected.
The arbitrary command execution would be the same between all devices. This vulnerability executes commands with root privileges, implying that the attacker has no restrictions on that specific device. This could allow an attacker to bypass network security controls and exfiltrate data from within the device and other locations of the network. The attacker could also use that device to pivot from one system to another to eventually infiltrate the internal network and leak confidential information, or cause further harm to an organisation.
Considering that the Exodus Intelligence team has not released any scripts or code for the execution, it is likely that individuals would need significant exploit development skills to be able to exploit this issue.
What Should We Do?
Considering some vendors released a fix for them, we would advise you download and install the patch immediately. This attack does not require many prerequisites and hence makes it quite dangerous in a live environment. There are currently no mentions of any successful attacks, however due to the nature of the vulnerability, the victims may not have any knowledge of a compromise.
Where organisations do not have a Mobile Device Management (MDM) solution to enforce minimum patch levels prior to allowing connectivity to the network, an advisory should be sent out to end-users to do update their devices.
Oh, and if you happen to be in Las Vegas for the Blackhat conference right now, you may want to patch your devices before you go to any talks!
