CVE-2017-18059

Vulnerability

In Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, the WLAN driver function wma_scan_event_callback() fails to validate the vdev id received from firmware. This improper input validation can result in an out-of-bounds memory read when the id is used as an array index. Affected versions include all Android releases from CAF prior to the March 2018 security patch level [1].

Exploitation

An attacker must first compromise the firmware on the device to send a crafted scan event containing an invalid vdev id. No user interaction or special local privileges are required beyond the firmware-level access. Upon receiving the malformed event, the driver proceeds to read memory outside the intended bounds without validation [1].

Impact

Successful exploitation leads to an out-of-bounds memory read, which can disclose sensitive kernel or device memory contents. This could potentially leak cryptographic keys, passwords, or other confidential data to the attacker who controls the firmware. The vulnerability does not directly allow code execution or privilege escalation [1].

Mitigation

Google released a fix as part of the 2018-03-05 security patch level for Pixel and Nexus devices. The fix involves adding proper validation of the vdev id before it is used as an index. Affected devices should be updated to the March 2018 or later security patch level. No workaround is available without updating the driver or kernel [1].