Main Vulnerability Database SB2016050944

SB2016050944 - Missing authorization in Linux kernel

Published: May 9, 2016

Security Bulletin ID SB2016050944

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing authorization (CVE-ID: CVE-2015-0571)

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c.

Remediation

Install update from vendor's website.

References

http://source.android.com/security/bulletin/2016-05-01.html
http://www.securityfocus.com/bid/77691
https://www.codeaurora.org/projects/security-advisories/multiple-issues-wlan-driver-allow-local-privilege-escalation-cve-2015