Security researchers from the Mandiant firm have discovered a “high severity” vulnerability in the Qualcomm tethering controller (CVE-2016-2060) that could be exploited by a malicious application to access user information.
Recently Google released an Android update that addresses tens of vulnerabilities, including the Qualcomm one.
FireEye reported the issue to Qualcomm in January and the vendor issued a fix by early March and sent the update to various device manufacturers that will have to distribute the patch to the end-users.
The flaw affects the Android network daemon ‘netd’ and was introduced by Qualcomm when it provided new APIs for the ‘network_manager’ system service.
“CVE-2016-2060 is a lack of input sanitization of the “interface” parameter of the “netd” daemon, a daemon that is part of the Android Open Source Project (AOSP). ” states FireEye in a blog post. “The vulnerability was introduced when Qualcomm provided new APIs as part of the “network_manager” system service, and subsequently the “netd” daemon, that allow additional tethering capabilities, possibly among other things. Qualcomm had modified the “netd” daemon.”
The issue in the Qualcomm software affects devices running Android 5.0 Lollipop and earlier, a significant impact if we consider that more or less 73 percent of Android devices are affected by the vulnerability. Fortunately, the vulnerability has limited impact on mobile devices running Android 4.4 and later due to significant security enhancements.
The experts also highlighted that the Qualcomm software is used in several projects, including the popular CyanogenMod. The flaw can be exploited by attackers to escalate privileges to the built-in “radio” user, its permissions higher than the ones normally assigned to third-party apps.
An attacker can use a malicious application that is granted the “ACCESS_NETWORK_STATE” permission that is so allowed to invoke the vulnerable API.
“The most feasible way of exploiting CVE-2016-2060 is by creating a malicious application. A malicious application needs only to request access to the “ACCESS_NETWORK_STATE” permission, a widely requested permission. Figure 16 shows how the “addUpstreamV6Interface(..)” method can be used to inject the command ‘id’.” continues the post.
What could an attacker do if they successfully exploit this vulnerability?
On vulnerable older devices, the attackers can use a malicious application to extract the SMS database and phone call database, access the Internet, and perform any operation allowed by the “radio” user.
On vulnerable new devices, the attackers have fewer options to violate the device, for example, they can modify additional system properties. In both cases, the victims have no indication of the ongoing attack.
“It should be noted that once the vulnerability is exploited, there is no indication to the user that something has happened. For example, there is no performance impact or risk of crashing the device.”
(Security Affairs – Qualcomm software flaw, Android)