CVE-2015-9122

Vulnerability

A buffer overflow vulnerability exists in the Qualcomm Snapdragon modem firmware present in many Android devices. The flaw occurs when a SIM card sends a response of more than 64KB of data for a stream APDU (Application Protocol Data Unit) command. This affects devices running Android with a security patch level before April 2018 and using the following Qualcomm chipsets: MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, and SD 835 [1].

Exploitation

An attacker would require physical access to the device and the ability to insert a malicious SIM card or manipulate the SIM card's responses. No authentication or special network position is needed beyond the ability to send crafted APDU commands to the modem via the SIM interface. The attack does not require user interaction beyond the device being powered on and connected to a network.

Impact

If exploited, the buffer overflow could lead to arbitrary code execution within the context of the modem firmware, potentially allowing the attacker to compromise the device's baseband processor. This could enable interception or manipulation of cellular communications, or serve as a stepping stone for further compromise of the main application processor.

Mitigation

Google's Android Security Bulletin for April 2018 included a fix for this vulnerability. The patch was released on 2018-04-05 as part of the security patch level for that month. Users should update their devices to the April 2018 or later security patch level [1]. No workaround is available for unpatched devices, and affected chipsets should receive updates from their respective OEMs.