broadpwn vuln - this sounds serious
Added by robin p over 6 years ago
is this a flaw in android, or the wifi firmware? i.e. is it possible to fix in replicant?
Replies (3)
RE: broadpwn vuln - this sounds serious - Added by Jeremy Rand over 6 years ago
robin p wrote:
is this a flaw in android, or the wifi firmware? i.e. is it possible to fix in replicant?
I haven't seen the cited BlackHat talk, and it's never wise to make assumptions about technical talks' content based on mainstream media reports, but the Guardian article definitely makes it sound like this is a vulnerability in the WiFi firmware. If that's true, then I think Replicant has always been immune, because it doesn't load the WiFi firmware.
RE: broadpwn vuln - this sounds serious - Added by Wolfgang Wiedmeyer over 6 years ago
It is indeed a bug in the non-free firmware, a classic overflow. Some more technical details: https://blog.exodusintel.com/2017/07/26/broadpwn/
You are only possibly exposed to the vulnerability if you choose to install the non-free firmware.
The firmware is not part of Replicant and it's non-free, so we can't fix the vulnerability directly. But what can be done is to fix all bugs in the Wi-Fi driver code, so that remote code execution on the Wi-Fi chip can't escalate to full system access. An attacker would need an additional exploit, otherwise they can only do nasty stuff with the chip (like crashing it).
Remote code execution on the chip is possible from a compromised Wi-Fi access point. This post has some details: http://boosterok.com/blog/broadpwn/
It looks quite easy to do.
All BCM43xx chipsets are listed as affected, but that may not be true. I guess that it needs to be tested for every device. This post claims that a Nexus 7 with a BCM4330 is not affected. This table in the wiki shows what chipset are used by the supported devices. It's possible that the firmware versions for the supported devices are too old to have the vulnerable code. But if the devices with BCM4330 and BCM4334 are affected, then most of the devices supported by Replicant are affected.
RE: broadpwn vuln - this sounds serious - Added by Daniel Kulesz over 6 years ago
It looks like an updated version of the non-free library is available in the official image of the nexus 5x, see also:
https://www.reddit.com/r/LineageOS/comments/6n4xdm/is_lineageos_patched_for_cve20179417_broadpwn/
Btw.: As far as I can see, the blobs haven't been updated in LineageOS either.