CVE-2015-9220

Vulnerability

In Android before the 2018-04-05 security patch level, the Qualcomm firmware image parser on several Snapdragon Mobile and Snapdragon Wear SoCs (IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 625, SD 810, SD 820, and SDX20) contains an integer overflow [1]. The overflow occurs when the size field of a firmware section is encoded with an incorrect (maliciously crafted) value in a firmware image. The vulnerable code resides in the Wi-Fi kernel driver that processes firmware loading. No special configuration is required beyond the ability to supply a crafted firmware image to the device [1].

Exploitation

An attacker needs the ability to load a malicious firmware image onto the target device. This could be achieved by physical access, by compromising the update mechanism, or by convincing a user to install a malicious firmware blob. The attacker crafts a firmware image with an oversized section size field, which triggers the integer overflow during parsing. The overflow leads to a buffer being allocated with an insufficient size relative to the subsequent data copy, causing a heap-based buffer overflow [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the Wi-Fi kernel subsystem. This can lead to full compromise of the device’s kernel, enabling the attacker to bypass Android security mechanisms, install persistent malware, or exfiltrate sensitive data. The impact is High with a CVSS v3.0 base score of 9.8 [1].

Mitigation

The vulnerability is addressed in the Android 2018-04-05 security patch level [1]. All affected Snapdragon chips listed above require the updated firmware to correct the integer overflow. No workarounds are documented; updating to or beyond the April 2018 security patch is the only mitigation [1].