Monday, October 7, 2024
HomeSecurity NewsCritical WiFi Buffer Overflow Vulnerability Impacts Lenovo Thinkpad Series Laptops

Critical WiFi Buffer Overflow Vulnerability Impacts Lenovo Thinkpad Series Laptops

Published on

Lenovo published a security advisory for Critical Arbitrary code execution vulnerability that affects Lenovo Thinkpad Series Laptop.

The two code execution vulnerabilities (CVE-2017-11120, CVE-2017-11121) resides with Broadcom WiFi controllers that used in ThinkPad products.

The critical buffer overflow flaws resides with the adapter used by Broadcom’s wireless LAN driver and it can be remotely exploited by an attacker. Both the vulnerabilities have Exploitability Subscore of 10.

- Advertisement - EHA

By installing the backdoor attacker can gain R/W access to the firmware and no user interaction is needed.

Also Read Most Important Network Security & Penetration Testing Tools for Hackers and Security Professionals

CVE-2017-11120 – On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204.

Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).Beniamini added.

CVE-2017-11121 also discovered by Beniamini – On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to a denial of service or other effects, aka B-V2017061205.

Lenovo Thinkpad vulnerabilities – Products Impacted

Following are the products impacted and Lenovo strongly recommends to update Wi-Fi driver’s in the affected versions.

ThinkPad 10, ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260 and ThinkPad Yoga 260.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical PDF.js & React-PDF Vulnerabilities Threaten Millions Of PDF Users

A new critical vulnerability has been discovered in PDF.js, which could allow a threat...

LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely From Any Browser, Anywhere

LayerX, pioneer of the LayerX Browser Security platform, today announced $24 million in Series...

Email Header Analysis – Verify Received Email is Genuine or Spoofed

Email Header Analysis highly required process to prevent malicious threats since Email is...