Attacker Value
Low
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

2011/2012 Mac EFI firmware leaves BCM4331 wireless enabled when transferring control to the bootloader/OS

Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The EFI firmware on Macs contains a full-fledged network stack for downloading OS X images from osrecovery.apple.com. Unfortunately on Macs introduced 2011 and 2012, EFI brings up the Broadcom 4331 wireless card on every boot and leaves it enabled even after ExitBootServices has been called. The card continues to assert its IRQ line, causing spurious interrupts if the IRQ is shared. It also corrupts memory by DMAing received packets, allowing for remote code execution over the air.

Add Assessment

0
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very Low
Technical Analysis

This wasn’t vulnerable in OpenBSD, because it didn’t free the memory the chip was writing memory to back to the kernel. On Linux boxes running a kernel < 2016, this could be RCE over wireless, and was proven to be a DoS, but for only a short time since the Grub mitigation that put the chip to sleep helped a lot.

Basically depends on a lot of circumstances, on hardware that is increasingly aging and irrelevant.

Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Matthew Garrett
Lukas Wunner
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis