Both vulnerabilities are tied to controllers used by Broadcom’s wireless LAN driver that contain buffer overflow flaws, which can be exploited by an attacker that can gain arbitrary code execution on the adapter, but not the targeted system’s CPU. Both CVEs are rated “critical” and have scores of 10 on Mitre’s CVSS scale.
The CVE-2017-11120 vulnerability was first identified by Google Project Zero researcher Gal Beniamini in June and disclosed publicly in September as a proof-of-concept
bug report.
“Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” Beniamini said.
The vulnerability lives in Broadcom chips used by Apple in the iPhone and other products, including tvOS used in Apple TV, and watchOS used in the Apple Watch. Android also makes use of the same chips, and Google patched the bug in the September Android Security Bulletin.
As for CVE-2017-11121, that vulnerability was also discovered by Beniamini and is a buffer overflow vulnerability caused by improper validation of Wi-Fi signals. “Properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects,” according to researchers.
The vulnerability also impacted Apple’s iOS and tvOS along with Google’s Android OS. Patches were issued for the vulnerability in September.