Multiple Vulnerabilities in WLAN Driver (CVE-2016-2470, CVE-2016-2472, CVE-2016-2474, CVE-2016-2498, CVE-2016-3792, CVE-2016-3797)

Release Date:

July 21, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2016-00024-1

CVE ID(s):

CVE-2016-2470CVE-2016-2472CVE-2016-2474CVE-2016-2498CVE-2016-3792CVE-2016-3797

Summary:

CVE-2016- 2470 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Medium because it first requires compromising a service that can call the driver. When processing private wireless extensions ioctl commands, the WLAN driver does not verify that arguments are in user space. Access Vector: Local Security Risk: Medium Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') --- CVE-2016- 2472 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Medium because it first requires compromising a service that can call the driver. When invoking the WLAN_PRIV_SET_WAPI_KEY ioctl, if the sum of the lengths of the Wireless Privacy Infrastructure encryption key and MIC key is larger than CSR_MAX_KEY_LEN, a kernel stack-based buffer overflow occurs. Access Vector: Local Security Risk: Medium Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') --- CVE-2016-2474 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. When invoking the CCXBEACONREQ ioctl, if the number of beacon IE fields specified is more than the maximum number of beacon IE fields allowed, a buffer overflow occurs. Access Vector: Local Security Risk: High Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') --- CVE-2016- 2498 Description An information disclosure in the WLAN driver could enable a local malicious application to access data outside of its permission levels. When processing private wireless extensions ioctl commands, the WLAN driver does not verify that arguments are in user space. Access Vector: Local Security Risk: Medium Vulnerability: CWE-200 Information Disclosure --- CVE-2016-3792 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Medium because it first requires compromising a service that can call the driver. When processing private wireless extensions ioctl commands, the WLAN driver does not verify that arguments are in user space. Access Vector: Local Security Risk: Medium Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')

Access Vector: Local
Security Risk:
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:
Acknowledgement:

These issues were reported to Google by security researchers. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing these issues to our attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com