Three-quarters of Android devices affected by the Qualcomm software flaw

Pierluigi Paganini May 06, 2016

Mandiant – FireEye has disclosed the details of a serious information disclosure vulnerability affecting one of the Qualcomm software package widely used.

Security researchers from the Mandiant firm have discovered a “high severity” vulnerability in the Qualcomm tethering controller (CVE-2016-2060) that could be exploited by a malicious application to access user information.

Recently Google released an Android update that addresses tens of vulnerabilities, including the Qualcomm one.

FireEye reported the issue to Qualcomm in January and the vendor issued a fix by early March and sent the update to various device manufacturers that will have to distribute the patch to the end-users.

The flaw affects the Android network daemon ‘netd’ and was introduced by Qualcomm when it provided new APIs for the ‘network_manager’ system service.

“CVE-2016-2060 is a lack of input sanitization of the “interface” parameter of the “netd” daemon, a daemon that is part of the Android Open Source Project (AOSP). ” states FireEye in a blog post. “The vulnerability was introduced when Qualcomm provided new APIs as part of the “network_manager” system service, and subsequently the “netd” daemon, that allow additional tethering capabilities, possibly among other things. Qualcomm had modified the “netd” daemon.”

The issue in the Qualcomm software affects devices running Android 5.0 Lollipop and earlier, a significant impact if we consider that more or less 73 percent of Android devices are affected by the vulnerability.  Fortunately, the vulnerability has limited impact on mobile devices running Android 4.4 and later due to significant security enhancements.

Android stats  Qualcomm software flaw

The experts also highlighted that the Qualcomm software is used in several projects, including the popular CyanogenMod. The flaw can be exploited by attackers to escalate privileges to the built-in “radio” user, its permissions higher than the ones normally assigned to third-party apps.

An attacker can use a malicious application that is granted the “ACCESS_NETWORK_STATE” permission that is so allowed to invoke the vulnerable API.

“The most feasible way of exploiting CVE-2016-2060 is by creating a malicious application. A malicious application needs only to request access to the “ACCESS_NETWORK_STATE” permission, a widely requested permission. Figure 16 shows how the “addUpstreamV6Interface(..)” method can be used to inject the command ‘id’.” continues the post.

Android Qualcomm software flaw

What could an attacker do if they successfully exploit this vulnerability?

On vulnerable older devices, the attackers can use a malicious application to extract the SMS database and phone call database, access the Internet, and perform any operation allowed by the “radio” user.

On vulnerable new devices, the attackers have fewer options to violate the device, for example, they can modify additional system properties. In both cases, the victims have no indication of the ongoing attack.

“It should be noted that once the vulnerability is exploited, there is no indication to the user that something has happened. For example, there is no performance impact or risk of crashing the device.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Qualcomm software flaw, Android)



you might also like

leave a comment