Google and Core Security are at odds over the severity of a vulnerability affecting a number of Android mobile devices, details of which were released by the security vendor today.
The issue was reported to the Android security team on Sept. 26 and in subsequent communication between the two parties, the severity of the vulnerability was debated, culminating today with Core’s disclosure.
Google three times acknowledged Core’s report and request for a timeline on a patch, and each time Google said it did not have one. The flaw is a remotely exploitable denial-of-service vulnerability in Wi-Fi-Direct, a standard that allows wireless devices to connect directly. The implementation is used not only between Android devices, but also printers, cameras, PCs and more. Corelabs, Core’s research lab, said the vulnerability is an uncaught exception (CVE-2014-0997), and that Android devices scanning for Wi-Fi Direct devices are affected.
“An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class,” Core said in its advisory published today on the Full Disclosure mailing list. Expert Jon Oberheide of Duo Security said that since devices aren’t continuously scanning for peer-to-peer connections, the severity of the vulnerability is lessened.
“So, given the limited vulnerability window when a device may be looking for peers, the requirement that an attacker must have physical proximity to broadcast the malformed IEs to the victim’s device, and the impact of only causing a device reboot, I think it’s fairly low severity,” he said. Core identified Nexus 5 and Nexus 4 devices running Android 4.4.4 are vulnerable, as are LG D806 and Samsung SM-T310 devices running Android 4.2.2, and Motorola Razr HD devices on 4.1.2. Android 5.0.1 and 5.0.2 are not vulnerable, according to the advisory.
“On some Android devices when processing a probe response frame with a WiFi-Direct information element that contains a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException,” Core said in its advisory. “As this exception is not handled, the Android system restarts.” Details and vulnerable code snippets and a proof of concept are available on the advisory.
The dispute between the two sides began in late September when Core informed the Android security team, sending it technical details and the proof of concept, as well as a publication date of Oct. 20. Google said on Oct. 16 that it classified the vulnerability as low severity and that it did not have a timeline to release a patch. Core said in its reply that it did not agree with the classification, and that it would reschedule publication of its advisory. Google then “strengthened its position” that it had no immediate plans to patch, Core said.
Earlier this month, Core resurrected the issue, to which Google replied on Jan. 16 that it still had no timeline for a patch release. On Jan. 19, Core asked Google for cooperation in order to “keep the process coordinated” and informed the Android security team that the advisory was rescheduled to today. Once more on Jan. 20, Google said it had no patch timeline.
The spat comes on the heel of recent disclosures by Google’s Project Zero research team. Around the first of the year, Project Zero disclosed a trio of Windows zero-day vulnerabilities, one of those two days before Microsoft had scheduled to release a patch. Then last week, Project Zero’s self-imposed 90-day deadline on three Apple Mac OS X vulnerabilities expired.
