CVE-2017-11064

Vulnerability

In Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, a buffer overread vulnerability exists in the Wi-Fi driver (__wlan_hdd_cfg80211_set_passpoint_list and hdd_extscan_passpoint_fill_network_list functions). The flaw occurs during processing of the QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_PASSPOINT_LIST and QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_PNO_SET_LIST cfg80211 vendor commands. Affected devices include Pixel and Nexus devices prior to the October 2017 security patch level [1].

Exploitation

An attacker with proximity to the target device can send a maliciously crafted Wi-Fi vendor command. The exploitation does not require authentication or user interaction beyond being within Wi-Fi range. The overread is triggered when the driver parses the input data without adequately checking the length, reading beyond the intended buffer boundary.

Impact

Successful exploitation results in a buffer overread, which can cause a kernel panic (denial of service). The vulnerability does not appear to allow arbitrary code execution or privilege escalation based on the available references, but it may be used to crash the device and disrupt Wi-Fi connectivity.

Mitigation

Google released a fix in the Pixel/Nexus Security Bulletin of October 2017. The Android Common Kernel (ACK) update includes the patch. Users should install Android security updates from their device vendor. There is no mention of a workaround; however, disabling Wi-Fi when not needed may mitigate proximity-based attacks. The bulletins list references QC-CR#2054770, QC-CR#2058447, QC-CR#2066628, and QC-CR#2087785 [1].