CVE-2022-25710: Denial of Service Vulnerability Found in Snapdragon Platforms Due to Null Pointer Dereference When GATT is Disconnected
A new vulnerability has been identified with the CVE number CVE-2022-25710. It affects several Qualcomm Snapdragon platforms, including Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, and Snapdragon Voice & Music. The vulnerability is a Denial of Service (DoS) attack due to a null pointer dereference when the Generic Attribute Profile (GATT) is disconnected. In this detailed post, we will discuss the vulnerability, the exploit, some code snippets, and reference links to original sources for more information.
Vulnerability Details
This vulnerability is present in the Bluetooth Low Energy (BLE) GATT functionality in the affected Snapdragon platforms. When an attacker disconnects GATT by sending a specifically crafted packet, it can trigger a null pointer dereference, which causes the system to crash and become unavailable for users - a typical characteristic of a DoS attack.
While this vulnerability does not allow an attacker to execute arbitrary code or gain unauthorized access to the system, it can still have a critical impact on the availability of the affected devices, disrupting their intended functionality.
Here is a simplified code snippet representing the vulnerable part of the code
void gatt_process_connection_termination (uint16_t conn_id) {
gatt_connection_t *p_conn = gatt_get_connection(conn_id);
if (p_conn == NULL) {
// Vulnerable null pointer dereference
gatt_cleanup_connection(p_conn);
}
}
In the code above, gatt_get_connection() may return a null pointer when GATT is disconnected, but the function gatt_cleanup_connection() does not check for a null pointer before using it. This results in a null pointer dereference that can crash the system.
Exploit Details
For an attacker to successfully exploit this vulnerability, they need to have access to the device's Bluetooth range and be able to initiate a GATT connection. Once connected, the attacker can disconnect GATT by sending a specifically crafted packet that will trigger the null pointer dereference.
An example of an exploit script using Python and a library like "pygattlib" might look like this
import pygattlib
# Insert your target Bluetooth device's MAC address here
target_device_mac = "00:11:22:33:44:55"
# Connect to the target device using GATT
adapter = pygattlib.GATTRequester(target_device_mac, True)
# Craft a packet to disconnect GATT and trigger null pointer dereference
disconnect_packet = ...
# Send packet to the target device
adapter.write_handle(..., disconnect_packet)
Please note that this is an example of how an exploit script may look like and not an actual script to perform the attack.
Mitigation and Prevention
Qualcomm has become aware of this issue and has released a patch to fix the vulnerability. Device manufacturers should apply the patch to their respective products and release updates to end users to ensure the security and stability of their devices. Users are advised to keep their devices updated with the latest available software update to protect against this vulnerability.
Here are some useful links for more information about the vulnerability and the affected products
1. Official Qualcomm Security Bulletin: https://www.qualcomm.com/company/product-security/bulletins/july-2022-bulletin
2. Common Vulnerabilities and Exposures (CVE) Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25710
3. National Vulnerability Database (NVD) Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-25710
Summary
In conclusion, CVE-2022-25710 is a significant vulnerability affecting various Qualcomm Snapdragon platforms, resulting in a denial of service attack when GATT is disconnected. Device manufacturers should apply the available patch, and users should keep their devices updated to mitigate any potential risks.
Timeline
Published on: 11/15/2022 10:15:00 UTC
Last modified on: 11/17/2022 21:49:00 UTC