Assorted[chips] Security Vulnerabilities

Processor Vulnerabilities – Meltdown and Spectre

UPDATE 1/4/2018: Qualys has released several QIDs for detecting missing patches for these vulnerabilities. UPDATE 1/5/2018: Pre-built AssetView dashboards to visualize impact and remediation progress. Vulnerabilities potentially impacting all major processor vendors were disclosed today by Google.....

Meltdown and Spectre CPU Flaws Affect Intel, ARM, AMD Processors

Unlike the initial reports suggested about Intel chips being vulnerable to some severe ‘memory leaking’ flaws, full technical details about the vulnerabilities have now been emerged, which revealed that almost every modern processor since 1995 is vulnerable to the issues. Disclosed today by...

Intel In Security Hot Seat Over Reported CPU Design Flaw

UPDATE Intel is grappling with what many experts are describing as a processor design flaw impacting CPUs used in Linux, Windows and some macOS systems. The reported flaw is tied to Intel’s kernel virtual memory system that could allow an attacker to access kernel-protected data such as passwords.....

A week in security (December 11 – December 17)

Last week we explained what fast flux is and how it's being abused, we showed you all kinds of Bitcoin-related scams, presented a video recording of a tech support scammer trying to sell free software, and pointed out some free software to keep an eye on your Internet traffic. We also informed you....

There’s a hole in my bucket: Bitcoin scams aim to exploit volatile market

Bitcoin! Black gold! Texas tea! Only one of these is currently worth ridiculous amounts of money (and technically numbers two and three are the same thing). Whether you're in possession of lots of Bitcoins, or in full bandwagon panic "must buy 20 graphics cards before the bubble bursts" mode, you.....

Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones

Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin. Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an...

Kaspersky Security Bulletin: Threat Predictions for 2018

Download the Kaspersky Security Bulletin: Threat Predictions for 2018 Introduction As hard as it is to believe, it's once again time for our APT Predictions. Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event....

Updated opensc_etc packages fix security vulnerability

A vulnerability, dubbed ROCA, was identified in an implementation of RSA key generation due to a fault in a code library developed by Infineon Technologies. The affected encryption keys are used to secure many forms of technology, such as hardware chips, authentication tokens, software packages,...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.92 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and...

What You Need To Know About The "ROCA" vulnerability

By Daniel Franke, Infosec Researcher Akamai is aware of the recently-disclosed "ROCA" vulnerability in cryptographic firmware used in products made by Infineon Technologies. A bug in the firmware's prime-search algorithm used for RSA key generation results in RSA keys that are relatively cheap and....

A week in security (October 16 – October 22)

Last week was an eventful one in security, keeping our research and intel teams on their toes. Multiple security researchers homed in on suspicious and malicious apps on Google Play, affecting thousands of Android users. A new variant of Mac malware Proton was also found in the wild, this time...

On ROCA, KRACK, BoundHook, Google Advanced Protection

Threatpost editors Mike Mimoso and Tom Spring recap this week’s infosec news starting with the ROCA vulnerabilities affecting factorization of RSA private keys, the KRACK WPA2 Wi-Fi vulnerabilities, the BoundHook attacks, and Google’s introduction of Advanced Protection for Gmail. Download:...

BoundHook Attack Exploits Intel Skylake MPX Feature

A post-intrusion technique developed by researchers at CyberArk Labs called BoundHooking allows attackers to exploit a feature in all Intel chips introduced since Skylake. The attack technique allows for the execution of code from any process without detection by antivirus software or other...

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices

If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on… ...we have got another one for you which is even worse. Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic...

Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

A flawed Infineon Technology chipset used on PC motherboards to securely store passwords, certificates and encryption keys risks undermining the security of government and corporate computers protected by RSA encryption keys. In a nutshell, the bug makes it possible for an attacker to calculate a.....

Over The Air - Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices

Posted by Gal Beniamini, Project Zero In this blog post we’ll complete our goal of achieving remote kernel code execution on the iPhone 7, by means of Wi-Fi communication alone. After developing a Wi-Fi firmware exploit in the previous blog post, we are left with the task of using our newly...

October Patch Tuesday: 28 Critical Microsoft Vulnerabilities

Today Microsoft released patches covering 62 vulnerabilities as part of October’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in...

Apple: Multiple Race Conditions in PCIe Message Ring protocol leading to OOB Write and OOB Read(CVE-2017-7115)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe"...

Apple: OOB NUL byte write when handling WLC_E_TRACE event packets(CVE-2017-7112)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe"...

Apple: Information Leak when handling WLC_E_COUNTRY_CODE_CHANGED event packets(CVE-2017-7116)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe"...

Apple: Heap overflow and information disclosure in "setVendorIE" when handling ioctl results(CVE-2017-7110)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe"...

A week in security (October 02 – October 08)

Last week, we gave you some tips for National Cybersecurity Awareness Month, walked through an exploration of a small adware file, and explored the complicated world of the Homograph attack. Here's what else happened in security. VB2017 Many of our team members attended VB2017 in Madrid, one of...

Nzyme - Collects 802.11 Management Frames And Sends Them To A Graylog Setup For Wifi Ids, Monitoring, And Incident Response

Nzyme collects 802.11 management frames directly from the air and sends them to a Graylog (Open Source log management) setup for WiFi IDS, monitoring, and incident response. It only needs a JVM and a WiFi adapter that supports monitor mode. Think about this like a long-term (months or years)...

CVE-2017-11122

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement...

CVE-2017-11122

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement...

Input validation

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement...

CVE-2017-11122

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can trigger an information leak due to insufficient length validation, related to ICMPv6 router advertisement...

Broadcom ICMPv6 Information Leak Vulnerability

Exploit for hardware platform in category dos /...

Over The Air - Vol. 2, Pt. 2: Exploiting The Wi-Fi Stack on Apple Devices

Posted by Gal Beniamini, Project Zero In this blog post we’ll continue our journey towards over-the-air exploitation of the iPhone, by means of Wi-Fi communication alone. This part of the research will focus on the firmware running on Broadcom’s Wi-Fi SoC present on the iPhone 7. We’ll begin...

Broadcom: OOB write when handling 802.11k Neighbor Report Response(CVE-2017-11120)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow fast roaming between access...

Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response(CVE-2017-7065)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow clients to configure...

Broadcom: Denial of service and OOB read in TCP KeepAlive Offloading(CVE-2017-7066)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to reduce overhead on the host, some...

Broadcom: Multiple overflows when handling 802.11r (FT) Reassociation Response(CVE-2017-11121)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow fast roaming between access...

CVE-2017-11120

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka...

CVE-2017-11121

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects, aka...

CVE-2017-11121

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects, aka...

CVE-2017-11120

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka...

Buffer overflow

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka...

Stack overflow

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects, aka...

Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices

Posted by Gal Beniamini, Project Zero Earlier this year we performed research into Broadcom’s Wi-Fi stack. Due to the ubiquity of Broadcom’s stack, we chose to conduct our prior research through the lens of one affected family of products -- the Android ecosystem. To paint a more complete picture.....

iPhone 7 and Samsung Galaxy S7 Wi-Fi Chip Hack Vulnerability

Exploit for hardware platform in category remote...

CVE-2017-11120

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka...

CVE-2017-11121

On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects, aka...

Signal Testing New Private Contact Discovery Service

Open Whisper Systems, the company behind the encrypted messaging app Signal, is testing a new private contact discovery service that in theory will allow the app to determine if a user has Signal contacts in their address book but forbid its servers from accessing the users’ address book. Moxie...

Remote Wi-Fi Attack Backdoors iPhone 7

Google on Tuesday disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability in Broadcom chipsets patched this week in iOS 11. The attack enables code execution and persistent presence on a compromised device. “The exploit gains code execution on the Wi-Fi firmware on the.....

Google Researcher Publishes PoC Exploit for Apple iPhone Wi-Fi Chip Hack

You have now another good reason to update your iPhone to newly released iOS 11—a security vulnerability in iOS 10 and earlier now has a working exploit publicly available. Gal Beniamini, a security researcher with Google Project Zero, has discovered a security vulnerability (CVE-2017-11120) in...

Broadcom 802.11v WNM Sleep Mode Response Heap Overflow Vulnerability

Broadcom suffers from a heap overflow vulnerability when handling 802.11v WNM Sleep Mode...

Broadcom 802.11r (FT) Reassociation Response Overflows Vulnerability

Broadcom suffers from multiple overflow vulnerabilities when handling 802.11r (FT) Reassociation...

Apple PCIe Message Ring Protocol Race Conditions Vulnerability

Exploit for macOS platform in category dos /...

Apple WLC_E_COUNTRY_CODE_CHANGED Information Leak Vulnerability

Exploit for macOS platform in category dos /...