CVE-2017-11061

Vulnerability

A buffer over-read vulnerability exists in the Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel. The issue occurs while processing the cfg80211 vendor subcommand QCA_NL80211_VENDOR_SUBCMD_ROAM. Affected versions include all Android releases from CAF up to the October 2017 security patch level [1].

Exploitation

An attacker with local access to the device or the ability to send crafted vendor commands to the wireless subsystem could trigger the buffer over-read. The attacker needs to have sufficient privileges to interact with the cfg80211 vendor command interface. The exact sequence involves sending a malicious QCA_NL80211_VENDOR_SUBCMD_ROAM command that causes the driver to read beyond the allocated buffer boundaries [1].

Impact

Successful exploitation could lead to an out-of-bounds read, potentially exposing sensitive kernel memory contents to an attacker. This could result in information disclosure, compromising the confidentiality of system data [1].

Mitigation

Google addressed this vulnerability in the October 2017 Pixel/Nexus Security Bulletin. The fix is included in the Android security patch level of 2017-10-05 or later. Users should update their devices to the latest security patch level [1].