CVE-2016-10456

Q: What is the severity of CVE-2016-10456?

CVE-2016-10456 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows arbitrary command execution as root/system user on affected Qualcomm Snapdragon devices running Android. An attacker can execute commands up to 15 characters by providing an invalid interface name to the radish utility. Affects Android devices with Qualcomm chipsets before the April 2018 security patch.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This vulnerability allows arbitrary command execution as root/system user on affected Qualcomm Snapdragon devices running Android. An attacker can execute commands up to 15 characters by providing an invalid interface name to the radish utility. Affects Android devices with Qualcomm chipsets before the April 2018 security patch.

💻 Affected Systems

Products:

Qualcomm Snapdragon Mobile and Snapdragon Wear chipsets: MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, SDX20

Versions: Android versions before April 5, 2018 security patch level

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Requires radish utility to be present and executable on the device. Most affected devices are mobile phones and wearables.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise with root privileges, allowing installation of persistent malware, data theft, and complete system control.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive data and system resources.

🟢

If Mitigated

Limited impact if device is fully patched and has proper application sandboxing in place.

🌐 Internet-Facing: LOW - Requires local access to device, not directly exploitable over network.

🏢 Internal Only: HIGH - Malicious apps or users with physical access can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access to device and ability to execute radish with malicious parameters. Could be exploited by malicious apps or users with shell access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level April 5, 2018 or later

Vendor Advisory: https://source.android.com/security/bulletin/2018-04-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in device settings. 2. Apply the April 2018 or later security patch. 3. Reboot device after update completes. 4. Verify patch level in Settings > About phone > Android security patch level.

🔧 Temporary Workarounds

Remove radish executable

android

Remove or restrict execution permissions for the radish binary if present on device

adb shell rm /system/bin/radish
adb shell chmod 000 /system/bin/radish

Restrict shell access

android

🧯 If You Can't Patch

Isolate affected devices from sensitive networks and data
Implement strict application whitelisting to prevent malicious app installation

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone. If date is before April 2018, device is vulnerable. Also check if radish binary exists: adb shell ls -la /system/bin/radish

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows April 2018 or later. Test radish execution with invalid interface name should fail.

📡 Detection & Monitoring

Log Indicators:

Unusual radish process execution
Failed radish commands with invalid interface names
Unexpected system command execution from user processes

Network Indicators:

None - local exploitation only

SIEM Query:

process_name:"radish" AND (command_line:"*invalid*" OR command_line:"*interface*" OR command_line_length<16)

📊 Metadata

CVE ID: CVE-2016-10456

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: April 18, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory
http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mdm9206 Firmware by Qualcomm

Mdm9607 Firmware by Qualcomm

Mdm9615 Firmware by Qualcomm

Mdm9635m Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Mdm9650 Firmware by Qualcomm

Msm8909w Firmware by Qualcomm

Sd 205 Firmware by Qualcomm

Sd 210 Firmware by Qualcomm

Sd 212 Firmware by Qualcomm

Sd 400 Firmware by Qualcomm

Sd 410 Firmware by Qualcomm

Sd 412 Firmware by Qualcomm

Sd 415 Firmware by Qualcomm

Sd 425 Firmware by Qualcomm

Sd 430 Firmware by Qualcomm

Sd 450 Firmware by Qualcomm

Sd 600 Firmware by Qualcomm

Sd 615 Firmware by Qualcomm

Sd 616 Firmware by Qualcomm

Sd 617 Firmware by Qualcomm

Sd 625 Firmware by Qualcomm

Sd 650 Firmware by Qualcomm

Sd 652 Firmware by Qualcomm

Sd 800 Firmware by Qualcomm

Sd 808 Firmware by Qualcomm

Sd 810 Firmware by Qualcomm

Sd 820 Firmware by Qualcomm

Sd 835 Firmware by Qualcomm

Sdx20 Firmware by Qualcomm