{"vuid":"VU#730261","idnumber":"730261","name":"Marvell Avastar wireless SoCs have multiple vulnerabilities","keywords":["marvell","avastar","Wi-Fi","wireless"],"overview":"Some Marvell Avastar wireless system on chip (SoC) models have multiple vulnerabilities, including a block pool overflow during Wi-Fi network scan.","clean_desc":"A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs(models 88W8787,88W8797,88W8801,88W8897,and 88W8997). The presentation provides some detail about a block pool memory overflow. During Wi-Fi network scans,an overflow condition can be triggered,overwriting certain block pool data structures. Because many devices conduct automatic background network scans,this vulnerability could be exploited regardless of whether the target is connected to a Wi-Fi network and without user interaction.","impact":"An unauthenticated attacker within Wi-Fi radio range may be able to use a specially-crafted series of Wi-Fi frames execute arbitrary code on a system with a vulnerable Marvell SoC. Depending on implementation, the compromised SoC may then be used to intercept network traffic or achieve code execution on the host system.","resolution":"Marvell issued a statement and encourages customers to contact their Marvell representative for additional support. Microsoft issued an update to multiple Surface devices. See also the\nVendor Information section below.","workarounds":"Restrict physical access\nAn attacker needs to be within Wi-Fi radio range of the target to exploit the block pool overflow. Restricting access to the area around vulnerable devices may limit an attacker's ability to exploit this vulnerability. Disable Wi-Fi\nFor systems that have other connectivity options like wired ethernet, it may be possible and practical to disable Wi-Fi.","sysaffected":"","thanks":"This vulnerability was presented by Denis Selianin at the ZeroNights 2018 conference.","author":"This document was written by Will Dormann and David Warren.","public":["https://2018.zeronights.ru/wp-content/uploads/materials/19-Researching-Marvell-Avastar-Wi-Fi.pdf","https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/","https://youtu.be/Him_Lf5ZJ38","https://www.scribd.com/document/398350818/WiFi-CVE-2019-6496-Marvell-s-Statement","https://www.marvell.com/documents/pub6kqag6uk6ubau75ep/","https://github.com/kaloz/mwlwifi/issues/344","https://twitter.com/wdormann/status/1093941091043291136"],"cveids":["CVE-2019-6496"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2018-09-10T14:11:48Z","publicdate":"2018-11-21T00:00:00Z","datefirstpublished":"2019-02-05T17:45:37Z","dateupdated":"2019-04-19T17:53:48Z","revision":104,"vrda_d1_directreport":"1","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"A","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"8.3","cvss_basevector":"AV:A/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"6.1","cvss_environmentalscore":"4.61992175261568","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}