The flaw tracked as CVE-2017-11120, is a memory corruption vulnerability that could be exploited by attackers to execute code and establish a backdoor on a targeted device. T
The flaw initially reported affecting specific Broadcom chipsets used in Apple iPhones, Apple TV, and Android devices was patched in the same month.
The vulnerability, tracked as CVE-2017-11120, is a memory corruption vulnerability, Apple addressed it in the security update for the release of iOS 11.
Now Lenovo warns of the presence of the flaw in two dozen ThinkPad models that use Broadcom’s BCM4356 Wireless LAN Driver for Windows 10.
The Broadcom Wi-Fi chipsets used by Lenovo ThinkPad devices are affected by the CVE-2017-11120 flaw and also by the CVE-2017-11121 vulnerability, both issue are rated as “critical” and received a CVSS 10 score.
“Broadcom has issued an advisory for certain Broadcom WiFi controllers used by many computer and device makers, which contain buffer overflow vulnerabilities on the adapter (not the system CPU).“reads the security advisory.” Broadcom initially did not plan to remediate these issues, but when the WPA2 KRACK issue also emerged, Broadcom combined both fixes in to a single set of driver updates. Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed.”
The flaws can be exploited by remote attackers to execute arbitrary code on the adapter (not the system’s CPU) of the target system.
The CVE-2017-11121 vulnerability was also discovered by Google experts, it is a buffer overflow vulnerability caused by improper validation of Wi-Fi signals.
“Properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects,” reads the description for the flaw.
Lenovo users urge to update the Wi-Fi driver for their ThinkPad models.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.