CVE-2017-15831

Vulnerability

In Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, the function wma_ndp_end_indication_event_handler() in the WLAN driver fails to validate the event_info value received from firmware. This lack of input validation can cause an integer overflow, which then leads to a potential heap overwrite. The affected code is reachable when the device processes NDP (NAN Data Path) end indication events from the firmware [1].

Exploitation

An attacker must be able to send a crafted NDP end indication event from firmware to the host driver. This typically requires either physical proximity to trigger the event or compromise of the firmware. No user interaction is needed once the event is processed, and the vulnerability can be triggered without any special permissions on the device [1].

Impact

Successful exploitation allows an attacker to write attacker-controlled data to heap memory outside the intended buffer. This can lead to memory corruption and potentially arbitrary code execution in the context of the kernel, resulting in a complete compromise of the device's confidentiality, integrity, and availability [1].

Mitigation

Google released a fix as part of the March 2018 Pixel/Nexus Security Bulletin, with security patch level 2018-03-05 or later. Users should apply the OTA update or flash the factory image provided by Google for supported devices. Partners were notified at least a month before the bulletin date [1].