Multiple Issues in WLAN Driver Allow Local Privilege Escalation (CVE-2015-0569, CVE-2015-0570, CVE-2015-0571)

Release Date:

December 18, 2015

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2015-00004-1

CVE ID(s):

CVE-2015-0569CVE-2015-0570CVE-2015-0571

Summary:

CVE-2015-0569: A heap overflow occurs when setting packet filters using private wireless extensions IOCTLs because user-supplied lengths are used without verifying that the length does not exceed the size of the destination buffer. Vulnerability: CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) --- CVE-2015-0570: A stack overflow occurs when the SET_WPS_IE IOCTL is invoked if the user-supplied length of a WPS IE element exceeds the default data length. Vulnerability: CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) --- CVE-2015-0571: WLAN private set IOCTLs can be invoked with insufficient privileges. Vulnerability: CWE-284 (Improper Access Control)

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Acknowledgement:

Qualcomm Innovation Center, Inc. (QuIC) thanks Renjia Lu for reporting the related issues and working with QuIC to help improve Android device security.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com