Multiple Issues in WLAN Driver Allow Local Privilege Escalation (CVE-2015-0569, CVE-2015-0570, CVE-2015-0571)

Release Date: 
December 18, 2015
Advisory ID: 
QCIR-2015-00004-1
Summary: 

CVE-2015-0569:
A heap overflow occurs when setting packet filters using private wireless extensions IOCTLs because user-supplied lengths are used without verifying that the length does not exceed the size of the destination buffer.

Access Vector: local
Security Risk: high
Vulnerability: CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

CVE-2015-0570:
A stack overflow occurs when the SET_WPS_IE IOCTL is invoked if the user-supplied length of a WPS IE element exceeds the default data length.

Access Vector: local
Security Risk: high
Vulnerability: CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

CVE-2015-0571:
WLAN private set IOCTLs can be invoked with insufficient privileges.

Access Vector: local
Security Risk: high
Vulnerability: CWE-284 (Improper Access Control)

Affected versions
All Android releases from CAF using the Linux kernel.

Patch: 

We advise customers to apply the following patches:

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks Renjia Lu for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com