CVE-2018-9397 – CVE-2018-9397 is an out-of-bounds write vulnera... (How to Fix)

Q: What is the severity of CVE-2018-9397?

CVE-2018-9397 has a CVSS score of 6.7 (MEDIUM). CVE-2018-9397 is an out-of-bounds write vulnerability in the MediaTek WMT device driver that allows local privilege escalation. Attackers with system execution privileges can exploit this without user interaction to gain elevated access. This affects Android devices using MediaTek chipsets.

📋 TL;DR

CVE-2018-9397 is an out-of-bounds write vulnerability in the MediaTek WMT device driver that allows local privilege escalation. Attackers with system execution privileges can exploit this without user interaction to gain elevated access. This affects Android devices using MediaTek chipsets.

💻 Affected Systems

Products:

Android devices with MediaTek chipsets

Versions: Android versions prior to the June 2018 security patch level

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the MTK WMT (Wireless Management Team) device driver in MediaTek chipsets. Pixel devices were specifically mentioned in the bulletin.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code with kernel privileges, potentially installing persistent malware or accessing all device data.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security restrictions and gain elevated system access on compromised devices.

🟢

If Mitigated

Limited impact if devices are properly patched and have security controls like SELinux enforcing mode enabled.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring initial access to the device.

🏢 Internal Only: MEDIUM - Malicious apps or compromised user accounts could exploit this to escalate privileges on affected devices within an organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires system execution privileges for initial access. The vulnerability is in a kernel driver, making exploitation more complex than user-space vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level 2018-06-05 or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2018-06-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > Advanced > System update. 2. Apply the June 2018 or later security patch. 3. Reboot the device after installation.

🔧 Temporary Workarounds

Disable unnecessary kernel modules

linux

Remove or disable the vulnerable WMT driver module if not required for device functionality

rmmod wmt
echo 'blacklist wmt' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Restrict device access to trusted users only and monitor for suspicious privilege escalation attempts
Implement application whitelisting to prevent execution of unauthorized or malicious applications

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If date is before June 2018, device is vulnerable.

Check Version:

getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 2018-06-05 or later. Check that the WMT driver version has been updated.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
Unexpected privilege escalation attempts in audit logs
SELinux denials related to WMT driver

Network Indicators:

Unusual outbound connections following local privilege escalation

SIEM Query:

source="android_logs" AND ("WMT" OR "wmt") AND ("panic" OR "oops" OR "privilege")

📊 Metadata

CVE ID: CVE-2018-9397

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: December 5, 2024

Last Updated: December 19, 2024

🔗 References

https://source.android.com/security/bulletin/pixel/2018-06-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-9397, you might also want to check these: