CVE-2017-11058

Vulnerability

A buffer over-read vulnerability exists in the cfg80211 vendor command handler of the Linux kernel used in Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF. When processing a specially crafted cfg80211 vendor command, the kernel reads beyond the intended buffer boundaries. Affected versions include all Android kernel releases from CAF up to the November 2017 security patch level. The issue was fixed in the November 2017 Pixel/Nexus Security Bulletin [1].

Exploitation

An attacker must be able to send a crafted cfg80211 vendor command to the target device, typically over a wireless network interface. No authentication is required, but the attacker must have local access to the wireless subsystem, which in Android is exposed through the Wi-Fi driver interface. The specific sequence involves the attacker sending a malicious command with manipulated length fields that cause the kernel to read beyond the allocated buffer during parsing.

Impact

Successful exploitation results in a buffer over-read, which may disclose sensitive kernel memory contents to the attacker. This information disclosure could leak cryptographic keys, passwords, or other sensitive data from kernel heap memory. The attacker does not gain code execution or privilege escalation directly from this bug, but the leaked information could aid further attacks.

Mitigation

Google released a fix as part of the November 2017 Pixel/Nexus Security Bulletin, which includes kernel patches for all affected CAF-based Android kernels [1]. Users should apply the Android security update dated 2017-11-05 or later. Device vendors must also incorporate the patch from Code Aurora Forum (CAF). No workaround is available; the only mitigation is to install the patched kernel version.