cutimage - Fotolia

How has a Broadcom flaw affected the Lenovo ThinkPad?

A previously disclosed flaw found in Broadcom's Wi-Fi controller chips is now believed to affect the Lenovo ThinkPad. Learn how this vulnerability works with expert Judith Myerson.

Lenovo announced that a previously disclosed flaw in Broadcom Inc.'s Wi-Fi controller chips affects its ThinkPad product. What is the Broadcom flaw, and how can it be used by attackers?

Broadcom's Wi-Fi controller chips are vulnerable to a critical memory flaw. Attackers can exploit the Broadcom flaw to cause remote chip control or denial-of-service (DoS) attacks in the Lenovo ThinkPad. Gaining access to the memory in the chip is not required, and very little knowledge or skill is necessary to render all the radio resources useless.

The Broadcom flaw allows attackers to create a malformed Radio Resource Management (IEEE 802.11k) Neighbor Report frame that contains measurements of radio resources. Successful exploitation can trigger an internal buffer overflow in the Wi-Fi controller chips, enabling attackers to insert a backdoor into the chip's firmware (CVE-2017-11120). After gaining remote control, attackers can send a series of read/write commands through this backdoor, and then the internal buffer overflow will prevent clients from sending legitimate neighbor reports to each other.

Attackers can also use over-the-air Fast Transition, also known as Fast Roaming/Fast BSS Transition (IEEE 802.11r), frames to cause DoS problems by triggering heap or stack overflows (CVE-2017-11121). This protocol reduces the length of time it takes to re-establish connectivity between a laptop and the Wi-Fi infrastructure, as both the length of time it takes to re-connect to Wi-Fi and the interruptions visible to the human eye would cause the user to be suspicious.

By using heap and stack overflows in memory, the stack can either grow into the heap or overrun it. Some heap chucks are created when certain memory functions are freed after the initialization of the chip's firmware, while other data and patches to the memory can be adversely impacted.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Network security