Critical Broadcom flaws discovered in Lenovo ThinkPads
Two critical flaws in Broadcom Wi-Fi chips disclosed last year were thought to affect only Apple and Android devices, but Lenovo now says ThinkPad models are vulnerable, too.
Lenovo issued a security advisory on Friday warning users that two critical -- and previously disclosed -- Broadcom flaws affect more than 20 models of the computer-maker's ThinkPad laptop family.
The vulnerabilities in Broadcom's Wi-Fi controller chips can create buffer overflows and allow arbitrary code execution in several types of ThinkPad products. The Broadcom flaws were first discovered in June by Google Project Zero researcher Gal Beniamini, who developed a proof-of-concept exploit for iOS devices based on one of the flaws.
When details of the vulnerabilities were made public in September, they were initially thought to only affect Apple and Android devices -- Google and Apple released patches for the flaws soon after they were disclosed.
That changed last week when Lenovo published a security advisory for the Broadcom flaws (CVE-2017-11120 and CVE-2017-11121).
"Broadcom initially did not plan to remediate these issues, but when the WPA2 KRACK issue also emerged, Broadcom combined both fixes in to a single set of driver updates," Lenovo wrote in the security advisory. "Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed."
The advisory links to Broadcom driver updates that Lenovo released last November and December for various ThinkPad models. However, Lenovo didn't issue an advisory for the Broadcom flaws and related driver update until Friday.
It's unclear when Lenovo learned the Wi-Fi chip vulnerabilities affected ThinkPads, or why it waited to issue the advisory. The company has not responded to SearchSecurity's request for comment.
Breaking down the Broadcom flaws
The two vulnerabilities in question both affect Broadcom BCM4355C0 Wi-Fi chips, and they both earned CVSS scores of 10.0. The first, CVE-2017-11120, allows an attacker to create a malformed Radio Resource Management neighbor report frame to trigger an internal buffer overflow in the chip's firmware.
Beniamini used CVE-2017-11120 for his iOS exploit, which he described in the Project Zero bug report.
"Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip)," he wrote.
The second, CVE-2017-11121, lets attackers use malicious, over-the-air Fast Transition frames to trigger heap and stack overflows within the chip's firmware, which can lead to denials of service.
According to Lenovo's advisory, the vulnerabilities affect the ThinkPad 10, ThinkPad L460, ThinkPad L560, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260, ThinkPad Yoga 260 and the second-generation ThinkPad S1. The updated Broadcom driver is available for all current models except the ThinkPad L460; Lenovo said the availability for the L460's update is "TBD."