google-site-verification: google30a059f9a075f398.html

Lenovo Warns Critical WiFi Vulnerability Impacts Dozens of ThinkPad Models

CyberWisdom Safe Harbor Commentary on WiFi Vulnerability:

Threatpost.com talks about things we don’t talk about but Lenovo warned customers on Friday that two key Broadcom vulnerabilities affected 25 models of its popular ThinkPad brand. The vulnerabilities were first disclosed in September and initially were reported only for specific Broadcom chipsets used in the Apple iPhone, Apple TV, and Android devices.

Lenovo has extended the list to include twenty ThinkPad with Broadcom’s BCM4356 wireless LAN driver (for Windows 10). According to Lenovo Consulting, the Wi-Fi chipset contains the same firmware vulnerabilities CVE-2017-11120 and CVE-2017-11121 for both Apple and Google in September.

Both of these vulnerabilities are related to controllers used by Broadcom wireless LAN drivers that include a buffer overflow vulnerability that allows an attacker to execute arbitrary code execution on the adapter but not the target system’s CPU. Both CVEs were rated as “critical” and scored 10 on the Miter CVSS scale.

WiFi Vulnerability

Google Project Zero researcher Gal Beniamini first discovered the CVE-2017-11120 vulnerability in June and released a vulnerability report in September.

“When the exploit is successfully executed, a backdoor is inserted into the firmware that allows remote read / write commands to the firmware through well-designed operation frames (enabling easy remote control via the Wi-Fi chip),” Beniamini said.

The vulnerability exists in Broadcom chips used by Apple in the iPhone and other products, including tvOS for Apple TV and watchOS for Apple Watch. Android also uses the same chip, Google bug fixes in the September Android Security Bulletin.

As for CVE-2017-11121, Beniamini also discovered the vulnerability and is a buffer overflow vulnerability due to incorrect validation of Wi-Fi signals. The researchers said: “Correctly crafted malicious wireless fast-conversion frames can cause internal Wi-Fi firmware stacks and/or stack overflow, resulting in denial of service or other effects.”

The vulnerability also affected Apple’s iOS and tvOS as well as Google’s Android operating system. A patch was released for the vulnerability in September.

Lenovo is recommending that affected ThinkPad customers update their Wi-Fi driver version. The affected ThinkPad SKUs are: ThinkPad 10, ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260, and ThinkPad Yoga 260.

Read More…

Lenovo issued a security bulletin Friday warning customers of two previously disclosed critical Broadcom vulnerabilities impacts 25 models of its popular ThinkPad laptops. Engaging post, Read More…

thumbnail courtesy of threatpost.com

Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad

http://securityaffairs.co/wordpress/68923/hacking/lenovo-thinkpad-flaws.htmlAccording to a security advisory issued by Lenovo, two critical vulnerabilities in Broadcom chipsets affects at least 25 models of Lenovo ThinkPad. The affected models are ThinkPad 10,  ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260 and ThinkPad Yoga 260. One of the flaws was discovered in June by Google that publicly disclosed Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad


If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Lenovo Warns Critical WiFi Vulnerability Impacts Dozens of ThinkPad Models