Lenovo recently released an advisory, warning customers about two critical Broadcom vulnerabilities which impact 25 models of its popular ThinkPad lineup. The Broadcom Wi-Fi chipsets used by Lenovo ThinkPad devices are affected by the CVE-2017-11120 & CVE-2017-11121 vulnerabilities. Both these issues are rated as “critical” and received a CVSS 10 score which means they are highly critical.
These flaws can be exploited by remote attackers to execute an arbitrary code on the Wi-Fi adapter (not the system’s CPU) of the targeted system.
Broadcom Wi-Fi chips are found in many devices such as in Apple iPhone. Android also makes use of the same chips, and thus these vulnerabilities have an industry-wide effect.
Lenovo has released patches for the above-mentioned vulnerabilities and has advised users to update their Wi-Fi drivers. These vulnerabilities were first revealed in September 2017 and at that time they were only reported to impact specific Broadcom chipsets used in Apple iPhones, Apple TV, and Android devices.
What exactly are these vulnerabilities?
According to the Lenovo advisory, the Wi-Fi chipsets contain the same firmware vulnerabilities CVE-2017-11120 and CVE-2017-11121. Both vulnerabilities are related to controllers and used by Broadcom’s wireless LAN driver that contain buffer overflow flaws and can be exploited by an attacker to be able to gain an arbitrary code execution on the Wi-Fi adapter, but not the targeted system’s CPU.
- With CVE-2017-11120, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware.
- This vulnerability was first identified by Google Project Zero researchers in June 2017 and disclosed publicly in September 2017 as a proof-of-concept bug report.
- Upon successful execution of the exploit, it is observed that a backdoor is planted into the firmware. This allows attackers to remotely read/write commands to the firmware through crafted action frames and therefore allowing easy remote control over the Wi-Fi chip.
- CVE-2017-11121 can be properly crafted malicious over-the-air Fast Transition frames that potentially trigger internal Wi-Fi firmware heap and/or stack overflows. This can cause a denial of service (DDoS) or other effects and this could lead to remote code execution as well.
- According to the researchers, this buffer overflow vulnerability was caused by improper validation of Wi-Fi signals.
- Lenovo explains that only the ThinkPad products lineup is affected by this Broadcom Wi-Fi controllers and other products remain unaffected.
Lenovo states, “Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed.”
Users of the following devices are advised to update their Wi-Fi driver
- ThinkPad 10
- ThinkPad L460
- ThinkPad P50s
- ThinkPad T460
- ThinkPad T460p
- ThinkPad T460s
- ThinkPad T560
- ThinkPad X260
- ThinkPad Yoga 260
Lenovo also recommends users to update to the Wi-Fi driver version (or newer) indicated for their models.
Subject Matter Expert
Swapnil Nigade | Quick Heal Security Labs