security-advisory@quicinc.com
Multiple Vulnerabilities in WLAN Driver (CVE-2016-2470, CVE-2016-2472, CVE-2016-2474, CVE-2016-2498, CVE-2016-3792, CVE-2016-3797)
Release Date:
July 21, 2016
Affected Projects:
Android for MSMFirefox OS for MSMQRD Android
Advisory ID:
QCIR-2016-00024-1
CVE ID(s):
CVE-2016-2470CVE-2016-2472CVE-2016-2474CVE-2016-2498CVE-2016-3792CVE-2016-3797
Summary:
CVE-2016- 2470 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Medium because it first requires compromising a service that can call the driver. When processing private wireless extensions ioctl commands, the WLAN driver does not verify that arguments are in user space. Access Vector: Local Security Risk: Medium Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') --- CVE-2016- 2472 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Medium because it first requires compromising a service that can call the driver. When invoking the WLAN_PRIV_SET_WAPI_KEY ioctl, if the sum of the lengths of the Wireless Privacy Infrastructure encryption key and MIC key is larger than CSR_MAX_KEY_LEN, a kernel stack-based buffer overflow occurs. Access Vector: Local Security Risk: Medium Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') --- CVE-2016-2474 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. When invoking the CCXBEACONREQ ioctl, if the number of beacon IE fields specified is more than the maximum number of beacon IE fields allowed, a buffer overflow occurs. Access Vector: Local Security Risk: High Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') --- CVE-2016- 2498 Description An information disclosure in the WLAN driver could enable a local malicious application to access data outside of its permission levels. When processing private wireless extensions ioctl commands, the WLAN driver does not verify that arguments are in user space. Access Vector: Local Security Risk: Medium Vulnerability: CWE-200 Information Disclosure --- CVE-2016-3792 Description An elevation of privilege vulnerability in the WLAN driver could enable a malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Medium because it first requires compromising a service that can call the driver. When processing private wireless extensions ioctl commands, the WLAN driver does not verify that arguments are in user space. Access Vector: Local Security Risk: Medium Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow')
Access Vector: Local
Security Risk:
Access Vector: Local
Affected Versions:
All Android releases from CAF using the Linux kernel.
Patch:
We advise customers to apply the following patches:
Individual PatchesCVE-2016-2470
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=05ce237387c6e1d101bbb4b825e56757576748e6
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=4fd81f97c3eaf42d506aa4f2b496862222c0a89d
CVE-2016- 2472
CVE-2016- 2474
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=d541aecce07c65fee3ad3a4d900016e4d22f2b3d
- https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=681c310490e49adc43065d1d11006c5a5dc43568
CVE-2016- 2498
CVE-2016- 3792
CVE-2016- 3797
Acknowledgement:
These issues were reported to Google by security researchers. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing these issues to our attention.
Revisions:
Initial revision