CVE-2017-11062

Vulnerability

A buffer overread vulnerability exists in the __wlan_hdd_cfg80211_do_acs function of the Qualcomm WLAN driver used in Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel. The function fails to validate attributes before processing them, allowing an attacker to trigger a read beyond the bounds of the allocated buffer. Affected devices include all Pixel/Nexus devices running Android 7.0, 7.1.1, 7.1.2, and 8.0 (as listed in the October 2017 Pixel/Nexus Security Bulletin) [1].

Exploitation

An attacker would need to be within Wi-Fi range of the target device and send a specially crafted Wi-Fi management frame that triggers the vulnerable code path in the driver. No authentication or user interaction is required; the vulnerability can be exploited without the device associating to the attacker's network. The exploitation is achieved by sending the malicious frame over the air, which is processed by the driver's ACS (Automatic Channel Selection) routine [1].

Impact

Successful exploitation could lead to a buffer overread, potentially causing information disclosure from kernel memory. The vulnerability is rated High severity (CVSS v3 base score 7.5). The overread could reveal sensitive data, such as encryption keys or other kernel-level information, although the bulletin does not confirm code execution [1].

Mitigation

The vulnerability was fixed in the October 2017 security update for Pixel/Nexus devices. Users should apply the Android security patch level of 2017-10-01 or later. No workarounds are available; updating the device is the only mitigation [1].