CVE-2017-14878:Length Variable Overflow in Qualcomm MSM Components Leads to Denial of Service

splash
Back

Description Preview

CVE-2017-14878 affects Android for MSM, Firefox OS for MSM, QRD Android, and all Android releases from CAF using the Linux kernel. The vulnerability involves a length variable with a size of only 8 bits that is used to copy data. When this 8-bit length variable is exceeded, it can result in a denial of service condition. This improper input validation issue (CWE-20) was addressed in a security patch released by Qualcomm and included in the Android Security Bulletin of March 2018.

Overview

This vulnerability exists in Qualcomm's wireless components used in various Android devices. The core issue is that a length variable used for data copying operations is limited to 8 bits (maximum value of 255), but can receive values that exceed this limit. When larger values are provided, buffer overflow conditions can occur, leading to denial of service situations where the affected component or system becomes unresponsive or crashes. The vulnerability affects multiple Qualcomm-based Android systems and was categorized as an improper input validation issue (CWE-20).

Remediation

  1. Update affected devices to the security patch level of March 2018 or later, which includes the fix for this vulnerability.
  2. If you're a developer working with the affected code base, apply the patch referenced in the commit: 27f1c544d6737bcb3dc4bb114badcd47ce946a8b
  3. System administrators should ensure that all Qualcomm-based Android devices in their environment are updated with the latest security patches.
  4. If updates are not available for your device, consider limiting network connectivity or using the device in a restricted environment to reduce the risk of exploitation.
  5. Monitor system logs for unexpected crashes that might indicate exploitation attempts.

References

  1. Android Security Bulletin (March 2018): https://source.android.com/security/bulletin/2018-03-01
  2. Qualcomm patch commit: https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0/commit/?id=27f1c544d6737bcb3dc4bb114badcd47ce946a8b
  3. SecurityFocus vulnerability entry: http://www.securityfocus.com/bid/103254
  4. CWE-20 (Improper Input Validation): https://cwe.mitre.org/data/definitions/20.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background