CVE-2023-1380 Overview
A slab-out-of-bound read vulnerability has been discovered in the Linux Kernel's Broadcom wireless driver, specifically in the brcmf_get_assoc_ies function located in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. This memory safety issue occurs when the assoc_info->req_len data exceeds the size of the allocated buffer, defined as WL_EXTRA_BUF_MAX, leading to an out-of-bounds read condition that can result in denial of service.
Critical Impact
Local attackers with low privileges can exploit this kernel memory corruption vulnerability to crash the system or potentially leak sensitive kernel memory, causing denial of service on systems using Broadcom wireless adapters.
Affected Products
- Linux Kernel (multiple versions through 6.3-rc7)
- Red Hat Enterprise Linux 8.0 and 9.0
- Debian Linux 10.0 and 11.0
- Canonical Ubuntu Linux 14.04 ESM, 16.04 ESM, 18.04 LTS, 20.04 LTS, and 22.04 LTS
- NetApp H300S, H410C, H410S, H500S, and H700S (firmware)
Discovery Timeline
- 2023-03-27 - CVE-2023-1380 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-1380
Vulnerability Analysis
This vulnerability (CWE-125: Out-of-bounds Read) exists within the Broadcom FullMAC WLAN driver (brcmfmac) that is commonly used for Broadcom wireless chipsets in Linux systems. The vulnerable function brcmf_get_assoc_ies() in cfg80211.c processes association information elements (IEs) received during wireless network association handshakes.
The core issue stems from insufficient bounds checking when copying association request data. When the assoc_info->req_len field contains a value larger than the statically defined buffer size WL_EXTRA_BUF_MAX, the kernel attempts to read beyond the allocated slab memory boundaries. This out-of-bounds read can cause the system to access uninitialized or adjacent memory regions.
Since this is a local attack vector requiring low privileges, an attacker would need local access to the system to trigger this condition. The vulnerability primarily impacts confidentiality (through potential information disclosure from kernel memory) and availability (through system crashes or kernel panics).
Root Cause
The root cause is improper input validation in the brcmf_get_assoc_ies() function. The code fails to properly validate that the length field assoc_info->req_len does not exceed the maximum buffer size WL_EXTRA_BUF_MAX before performing memory read operations. This missing bounds check allows the driver to read past the end of the allocated buffer when processing malformed or malicious association information.
Attack Vector
The attack requires local access to a system with a vulnerable Broadcom wireless adapter and the brcmfmac driver loaded. An attacker with low-level privileges can craft or trigger wireless association events with oversized req_len values. When the driver processes this malformed data, it reads beyond the buffer boundary, potentially causing:
- Kernel crash/panic - Reading invalid memory addresses can trigger system instability
- Information disclosure - Adjacent kernel memory contents may be exposed
- Denial of service - Repeated exploitation can render the system unusable
The vulnerability is triggered through the wireless association path, meaning the attacker would need to manipulate the wireless connection process or be in a position to provide malicious association data to the driver.
Detection Methods for CVE-2023-1380
Indicators of Compromise
- Unexpected kernel panics or system crashes related to the brcmfmac wireless driver module
- Kernel log entries showing memory access violations in brcmf_get_assoc_ies or related functions
- Abnormal wireless association behavior or repeated connection failures on Broadcom wireless interfaces
- KASAN (Kernel Address Sanitizer) reports indicating slab-out-of-bounds reads in the brcmfmac driver
Detection Strategies
- Deploy kernel live patching solutions to monitor and protect against exploitation attempts (see Kernel Live Patch Security Notice LSN-0095)
- Monitor system logs for kernel oops or panic messages referencing the brcmfmac module or cfg80211.c
- Use kernel debugging tools like KASAN to detect out-of-bounds memory access in wireless driver code paths
- Implement endpoint detection solutions that can identify unusual kernel behavior patterns
Monitoring Recommendations
- Enable kernel logging and configure alerts for wireless driver-related errors or crashes
- Monitor /var/log/kern.log and dmesg output for brcmfmac driver anomalies
- Track system stability metrics on hosts with Broadcom wireless hardware
- Consider using audit rules to monitor brcmfmac module loading and wireless interface activity
How to Mitigate CVE-2023-1380
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for CVE-2023-1380
- Apply vendor-specific security updates from your distribution (Red Hat, Debian, Ubuntu, etc.)
- If immediate patching is not possible, consider disabling or unloading the brcmfmac driver on affected systems
- Review Red Hat Bugzilla Report #2177883 for vendor-specific guidance
Patch Information
Security patches addressing this vulnerability have been released by major Linux distributions:
- Red Hat: Security advisories available through Red Hat Bugzilla Report #2177883
- Debian: Debian Security Advisory DSA-5480 and LTS announcements for Debian 10/11
- Ubuntu: Updates available for Ubuntu 14.04 ESM, 16.04 ESM, 18.04 LTS, 20.04 LTS, and 22.04 LTS
- NetApp: Refer to NetApp Security Advisory NTAP-20230511
The upstream kernel fix adds proper bounds checking to validate assoc_info->req_len against WL_EXTRA_BUF_MAX before processing association information elements.
Workarounds
- Disable the Broadcom FullMAC wireless driver by blacklisting the brcmfmac module if Broadcom wireless functionality is not required
- Use alternative wired network connections on affected systems until patches can be applied
- Implement kernel live patching solutions such as those described in Kernel Live Patch Security Notice LSN-0096
- Restrict local access to systems with vulnerable Broadcom wireless hardware
# Temporarily disable the brcmfmac driver
sudo modprobe -r brcmfmac
# Blacklist the driver to prevent loading on boot
echo "blacklist brcmfmac" | sudo tee /etc/modprobe.d/blacklist-brcmfmac.conf
# Verify the module is not loaded
lsmod | grep brcmfmac
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
