CVE-2017-18060

Vulnerability

In Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel, the function wma_unified_bcntx_status_event_handler() in the WLAN driver does not properly validate the resp_event->vdev_id field received from firmware. This lack of input validation can lead to an out-of-bounds memory read when the vdev_id is used as an index without bounds checking. The vulnerability affects devices with Qualcomm MSM chipsets and is present in all Android versions from CAF prior to the March 2018 security patch level [1].

Exploitation

An attacker with the ability to send a crafted firmware event to the WLAN driver can trigger the vulnerability. The attacker must be able to influence the vdev_id field in the wma_unified_bcntx_status_event structure. No authentication or user interaction is required if the attacker can communicate with the firmware interface. The out-of-bounds read occurs when the driver processes the event and uses the attacker-controlled vdev_id to access an array without proper bounds checking [1].

Impact

Successful exploitation results in an out-of-bounds memory read, which could lead to information disclosure. The attacker may be able to read sensitive kernel memory contents, potentially bypassing security mitigations such as KASLR. The impact is limited to information disclosure; code execution is not directly possible from this vulnerability [1].

Mitigation

Google released a fix for this vulnerability in the March 2018 Pixel/Nexus Security Bulletin, with a security patch level of 2018-03-05. All supported Google devices received the update. For other Android devices using CAF kernels, the fix is available from Qualcomm and should be incorporated by device manufacturers. Users are advised to install the latest security updates from their device vendor [1].