Security Flaw Found in Broadcom Wi-Fi Driver

By Brian Turner

Researcher HD Moore, from the Month of Kernel Bugs project has warned that a flaw in the widely-used Broadcom BCMWL5.SYS driver may leave Windows computers open to a stack-based buffer overflow that could allow kernel-mode execution of malicious code.

An advisory released by the volunteer Zeroday Emergency Response Team (ZERT) warned that although the bug isn’t exploitable over the Internet, computers using the driver, which have the wireless card enabled, could be attacked if they near other users with laptops. The distance is dependent on the attacker’s antenna and signal strength.

ZERT said. “Windows is exploitable without the existence of an Access Point (AP) or any interaction from the user. The card’s background scan of available wireless networks triggers the flaw.”

An attack tool already exists, as part of version 3.0 of HD Moore’s Metasploit Framework.

The bug was discovered by Jon Ellch and was demonstrated in October at Microsoft’s Blue Hat conference. Ellch reported the bug to Broadcom, which released a patch to the device makers using the affected chipset.

However, the patches are not necessarily available to end users. The drivers distributed by device makers are all slightly different from the basic driver provided by Broadcom. This means that it is not possible to provide one patch for all the different hardware containing the chipset. ZERT has advised users to update the latest available drivers for their hardware. It is aware of only one driver update - from Linksys - which specifically patches the problem.

The chipset is built into new machines from major manufactures including HP, Dell, Gateway and eMachines. Some manufacturers, including Dell, have automatic systems for distributing updated drivers, while others do not, meaning that their clients are likely to remain vulnerable for some time.