CVE-2016-10479

Q: What is the severity of CVE-2016-10479?

CVE-2016-10479 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on affected Android devices by sending specially crafted messages to the QMI Proxy service. It affects Android devices with Qualcomm Snapdragon chipsets before the April 2018 security patch. The vulnerability enables complete system compromise through an out-of-bounds write in the stack.

9.8 CRITICAL

Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected Android devices by sending specially crafted messages to the QMI Proxy service. It affects Android devices with Qualcomm Snapdragon chipsets before the April 2018 security patch. The vulnerability enables complete system compromise through an out-of-bounds write in the stack.

💻 Affected Systems

Products:

Android devices with Qualcomm Snapdragon chipsets

Versions: Android versions before April 2018 security patch (2018-04-05)

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific Qualcomm Snapdragon models: MDM9607, MDM9615, MDM9635M, MDM9640, SD 210/SD 212/SD 205, SD 400, SD 600, SD 615/16/SD 415, SD 617, SD 650/52, SD 800, SD 810, and SD 820.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, persistent backdoor installation, and device takeover.

🟠

Likely Case

Remote code execution allowing attackers to install malware, steal sensitive data, or use the device as part of a botnet.

🟢

If Mitigated

Limited impact if devices are patched and network segmentation prevents direct access to vulnerable services.

🌐 Internet-Facing: HIGH - Vulnerable devices exposed to the internet can be directly attacked remotely.

🏢 Internal Only: MEDIUM - Requires network access to vulnerable devices, but internal attackers could exploit it.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted messages to the QMI Proxy service, but no public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level 2018-04-05 or later

Vendor Advisory: https://source.android.com/security/bulletin/2018-04-01

Restart Required: Yes

Instructions:

1. Check current Android security patch level in Settings > About phone > Android security patch level. 2. If before April 2018, update to latest Android version with April 2018 or later security patch. 3. Restart device after update.

🔧 Temporary Workarounds

Network segmentation

all

Isolate vulnerable devices from untrusted networks to prevent remote exploitation.

Disable unnecessary services

android

Disable QMI Proxy service if not required for device functionality.

🧯 If You Can't Patch

Replace affected devices with updated hardware
Implement strict network access controls to isolate vulnerable devices

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If date is before 2018-04-05, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows 2018-04-05 or later date.

📡 Detection & Monitoring

Log Indicators:

Unusual QMI Proxy service activity
Crash logs from QMI-related processes
Unexpected privilege escalation

Network Indicators:

Unusual network traffic to QMI Proxy port
Suspicious messages to device management services

SIEM Query:

source="android_logs" AND (process="qmi" OR process="qmiproxy") AND (event="crash" OR event="buffer_overflow")

📊 Metadata

CVE ID: CVE-2016-10479

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 18, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory
http://www.securityfocus.com/bid/103671 Third Party Advisory,VDB Entry
https://source.android.com/security/bulletin/2018-04-01 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mdm9607 Firmware by Qualcomm

Mdm9615 Firmware by Qualcomm

Mdm9635m Firmware by Qualcomm

Mdm9640 Firmware by Qualcomm

Sd 205 Firmware by Qualcomm

Sd 210 Firmware by Qualcomm

Sd 212 Firmware by Qualcomm

Sd 400 Firmware by Qualcomm

Sd 415 Firmware by Qualcomm

Sd 600 Firmware by Qualcomm

Sd 615 Firmware by Qualcomm

Sd 616 Firmware by Qualcomm

Sd 617 Firmware by Qualcomm

Sd 650 Firmware by Qualcomm

Sd 652 Firmware by Qualcomm

Sd 800 Firmware by Qualcomm

Sd 810 Firmware by Qualcomm

Sd 820 Firmware by Qualcomm