CVE-2017-11060

Vulnerability

The vulnerability is a buffer overread in the Qualcomm Wi-Fi driver on Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel [1]. The overread occurs in the __wlan_hdd_cfg80211_set_passpoint_list and hdd_extscan_passpoint_fill_network_list functions when processing the QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST and QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_LIST cfg80211 vendor commands [1]. Affected versions include all Android releases from CAF using the Linux kernel up to the October 2017 security patch level [1].

Exploitation

An attacker must be in a position to send a specially crafted vendor command over the air to an affected device [1]. No authentication is required beyond being within Wi-Fi range, and the attacker does not need any user interaction beyond the device being connected to the same Wi-Fi network [1]. The exploit sequence involves sending a malformed NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST or NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_LIST command that triggers the buffer overread in the driver's kernel handler [1].

Impact

A successful exploit results in a buffer overread, which can cause a denial of service (system crash or reboot) or lead to disclosing sensitive kernel memory contents to the attacker [1]. The overread occurs in kernel space, so the attacker may gain access to kernel addresses or other protected data, but code execution is not suggested in the references [1]. The impact is limited to adjacent network access (not remote over the internet) [1].

Mitigation

Google released a fix as part of the October 2017 Pixel/Nexus Security Bulletin [1]. The fix is in kernel code; affected users should install the monthly Android security update for their device if available, or check with their OEM for the patch [1]. No workaround is mentioned in the bulletin for devices that cannot be updated [1].