CVE-2022-20463: Preserving WiFi Settings Across Network Factory Resets in Android

In this post, we will be discussing CVE-2022-20463, a vulnerability that exists in the factory reset process of WiFiServiceImpl in Android devices. This vulnerability can potentially allow an attacker to preserve WiFi settings across network factory resets without the need for any additional execution privileges or user interaction. We'll dive into the details of this vulnerability, how it occurs, provide a code snippet to understand it better, and link you to the original references for further information.

Exploit Details

The vulnerability lies within the factoryReset function of the WifiServiceImpl, which is responsible for resetting the network configurations on an Android device. Due to a logic error in the code, it is possible for WiFi settings to be preserved even after a network factory reset, leading to a local non-security issue.

Code Snippet

Let's take a look at a simplified code snippet to understand the logic error that leads to this vulnerability:

public class WifiServiceImpl {
    // ...
    public void factoryReset() {
        // Performs a factory reset and clears the configured networks.
        if (mWifiManager.getConfiguredNetworks() != null) {
            for (WifiConfiguration config : mWifiManager.getConfiguredNetworks()) {
                mWifiManager.removeNetwork(config.networkId);
            }
        }

        // Logic error: The following portion of code might accidentally preserve WiFi settings.
        if (mWifiManager.getConfiguredNetworks() != null) {
            for (WifiConfiguration config : mWifiManager.getConfiguredNetworks()) {
                mWifiManager.disableNetwork(config.networkId);
            }
        }
    }
}

The logic error is in the second part of the factoryReset function, where the code iterates through the configured networks and disables them, even if they have been removed earlier in the method. Due to this logic error, WiFi settings may not always be wiped properly during a factory reset.

Original References

For further information, you can access the original references on the official Android git repository and Android Security Bulletin:

- Android git repository: AOSP Commit - WifiServiceImpl: Properly clear configured networks on factory reset
- Android Security Bulletin: Android Security Bulletin—February 2023

Conclusion

CVE-2022-20463 is an interesting vulnerability in WifiServiceImpl that could result in the preservation of WiFi settings across network factory resets on affected Android devices. The issue surfaces due to a logic error in the code, and it does not require any additional execution privileges or user interaction to be exploited. By understanding this vulnerability and patching your Android device with the latest updates, you can protect your device from such issues and ensure the proper functioning of the factory reset feature.

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 16:29:00 UTC