The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.
Quarkslab has researched and reported multiple vulnerabilities affecting Broadcom WiFi drivers.
Vulnerabilities in the open source brcmfmac driver:
In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service conditions.
The brcmfmac driver has been patched to address these vulnerabilities.
The following workarounds can help mitigate this and other WiFi vulnerabilities:
Thanks to Hugues Anguelkov during his internship at Quarkslab for reporting this vulnerability.