CVE-2022-3628: Understanding the Linux Kernel Broadcom Full MAC Wi-Fi Driver Buffer Overflow Vulnerability and Exploit

In this long-read post, we will dive deep into the details of a critical vulnerability that has been discovered recently in the Linux kernel Broadcom Full MAC Wi-Fi driver, which affects a wide range of Linux distributions, including but not limited to Ubuntu, Debian, Fedora, and CentOS. The vulnerability, identified as CVE-2022-3628, is a buffer overflow flaw that can be exploited via a malicious USB device when a user connects to it. Successful exploitation of this vulnerability can lead to system crashes or privilege escalation of a local user.

CVE-2022-3628: Technical Details

At its core, the CVE-2022-3628 vulnerability is a buffer overflow flaw that exists within the Linux kernel Broadcom Full MAC Wi-Fi driver, specifically in the brcmf_usbdev_urb_submit()-function. When a user connects to a malicious USB device, this function can be triggered, which can lead to a vulnerability that allows attackers to overwrite the memory, subsequently crashing the system or even allowing a local user to escalate their privileges.

The following code snippet demonstrates the vulnerability in the brcmf_usbdev_urb_submit() function within the Linux kernel:

static int brcmf_usbdev_urb_submit(struct brcmf_usbdev_info *devinfo,
				   struct brcmf_usbreq *req)
{
	int ret;

	req->urb->transfer_buffer_length = req->buf_len;
	req->urb->dev = devinfo->usbdev;
	ret = usb_submit_urb(req->urb, GFP_ATOMIC);
	if (ret) {
		brcmf_err("brcmf_usbdev_urb_submit failed with error %d\n", ret);
		req->urb->status = ret;
		return ret;
	}
	return ;
}

The issue stems from the input validation of the 'req->buf_len' parameter, allowing an attacker-controlled value to be passed along. This can result in the wrong buffer size being sent to the usb_submit_urb() function, causing a buffer overflow.

Exploiting CVE-2022-3628

To exploit this vulnerability, an attacker needs to craft a malicious USB device that can interact with the Linux kernel Broadcom Full MAC Wi-Fi driver. By controlling the 'req->buf_len' parameter sent to the brcmf_usbdev_urb_submit() function, the attacker can trigger the buffer overflow vulnerability, leading to potential system crashes or privilege escalation.

Although we will not be delving into creating the malicious USB device itself, it is important to understand the general process of creating such a device to wrap your head around the exploit.

Mitigations and Prevention

The good news is that the maintainers of the Linux kernel have already released a patch for this vulnerability. To safeguard your systems, you should apply this patch as soon as possible. To patch your affected systems, refer to your specific Linux distribution's documentation or consult the official security advisories released by the Linux kernel maintainers.

Linux kernel Git commit fixing this vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=725ea954080b74d605e136201a1aace61fe58c97

In addition to applying patches promptly, it is highly recommended to restrict USB device usage on sensitive systems and provide proper training to users on the risks of connecting untrusted USB devices to their systems.

Conclusion

CVE-2022-3628 is a critical buffer overflow flaw in the Linux kernel Broadcom Full MAC Wi-Fi driver that can lead to serious consequences if exploited. By understanding the technical details of this vulnerability and knowing how to apply the appropriate patches, you can take the necessary steps to protect your Linux-based systems from this threat. Educating users about the potential risks of connecting untrusted USB devices also bolsters your organization's overall security posture.

Timeline

Published on: 01/12/2023 19:15:00 UTC
Last modified on: 01/23/2023 15:13:00 UTC