In multiple functions of ConnectivityService.java, there is a possible way for a Wi-Fi AP to determine what site a device has connected to through a VPN due to side channel information disclosure. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "fixes": [ "https://android.googlesource.com/platform/packages/modules/Connectivity/+/9a0a647f50dde062bb0846a87961607b4ca1c4c8", "https://android.googlesource.com/platform/packages/modules/Connectivity/+/f0fa3a4554393018b0fcab937ff0013a1829a69b" ], "spl": "2025-01-01", "severity": "High", "types": [ "ID" ] }
{ "fixes": [ "https://android.googlesource.com/platform/packages/modules/Connectivity/+/9a0a647f50dde062bb0846a87961607b4ca1c4c8", "https://android.googlesource.com/platform/packages/modules/Connectivity/+/f0fa3a4554393018b0fcab937ff0013a1829a69b" ], "spl": "2025-01-01", "severity": "High", "types": [ "ID" ] }
{ "fixes": [ "https://android.googlesource.com/platform/frameworks/libs/net/+/03eb6f09360de988687c06940b6f13be7e650b34", "https://android.googlesource.com/platform/frameworks/libs/net/+/80500a3de46b212c7ed0e9f9f9c87f698b101c17" ], "spl": "2025-01-01", "severity": "High", "types": [ "ID" ] }
{ "vanir_signatures": [ { "digest": { "length": 1026.0, "function_hash": "134416761624579409979375994150250792586" }, "id": "ASB-A-193031925-208b4470", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/df163f70fd3f456604019072b796eaeab71418ae", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java", "function": "generateIngressDiscardRules" }, "signature_type": "Function" }, { "digest": { "length": 1212.0, "function_hash": "242675969598636284939712788575565974033" }, "id": "ASB-A-193031925-213d388a", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/d493a3aa7dcca3219b139616c9de3c6ee8181f86", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java", "function": "updateLinkProperties" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "211532913092856523640620818397465079528", "4007128991981511533711589108641062271", "110103736278331471829460242356720843751", "25326096123886487132504840035492737712", "37273558137875237838653895749689369980", "161790902313394216729866222596042846761", "142249704129977219004314657639867573680", "90711542228741756106149657368523379977", "180645704048347418031723426077697607406", "335743974029366220872967827958071789022", "303335162419111807458100309371297090634", "275723917175420571753154711288647140642", "78531860723917649558272532424748037476", "153860588463249454071469016471559595020", "120169195579929945096454197490360402393", "302642991539889491407290636789772206391", "37700120647745234211043257387586123654" ] }, "id": "ASB-A-193031925-28624652", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/d493a3aa7dcca3219b139616c9de3c6ee8181f86", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java" }, "signature_type": "Line" }, { "digest": { "length": 7265.0, "function_hash": "104539973824635611611371240811375983660" }, "id": "ASB-A-193031925-4b83acad", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/d493a3aa7dcca3219b139616c9de3c6ee8181f86", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java", "function": "ConnectivityService" }, "signature_type": "Function" }, { "digest": { "length": 972.0, "function_hash": "217746681310433547709601631738478874995" }, "id": "ASB-A-193031925-612a840a", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/5441470a6a04f36369ec79c3eff3a72fc47ca9e3", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java", "function": "generateIngressDiscardRules" }, "signature_type": "Function" }, { "digest": { "length": 733.0, "function_hash": "89607534420594928418680368598043702372" }, "id": "ASB-A-193031925-62f25293", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/d493a3aa7dcca3219b139616c9de3c6ee8181f86", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java", "function": "destroyNativeNetwork" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "316118135044002203360338556178346030544", "154938983177890398466050844349743257039", "65185455313051718538701350101505144367", "13838067576355022468152037345570412184", "180533816498831328137046746721440216755" ] }, "id": "ASB-A-193031925-7b4bdfea", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b01647922d2b393fd705bf7fd68fbe10ccdffdc4", "deprecated": false, "signature_version": "v1", "target": { "file": "common/src/com/android/net/module/util/bpf/IngressDiscardKey.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "226134191383026538262969682519339757761", "50279149356656828751651951699413882531", "289231389341777822089852558544515880324", "12221327242697723686094758684797654447", "23075773370066765580508952797130862520", "62784894568845262190408585283399370626", "150708691523270231688440859440661052898" ] }, "id": "ASB-A-193031925-8d6e9489", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/5441470a6a04f36369ec79c3eff3a72fc47ca9e3", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java" }, "signature_type": "Line" }, { "digest": { "length": 884.0, "function_hash": "119540092433770396759112919499201781610" }, "id": "ASB-A-193031925-a590270d", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b01647922d2b393fd705bf7fd68fbe10ccdffdc4", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/BpfNetMaps.java", "function": "initBpfMaps" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "239351541724200386760925483404433311616", "135666912025753935418589282566495089625", "331515982554991386742462320059868202151", "172148205804887405734488192847366293454", "120960146440215475594814886484464983590", "207465249686318388263838896209539629168", "271656285747315895436711535189962924352", "48415736909822751741703898396146087828" ] }, "id": "ASB-A-193031925-aa33da2a", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/e1a82cc1cc04ed49f022825010316cde7758c2fb", "deprecated": false, "signature_version": "v1", "target": { "file": "bpf_progs/netd.h" }, "signature_type": "Line" }, { "digest": { "length": 1206.0, "function_hash": "173627206379675653583747960087071819862" }, "id": "ASB-A-193031925-b5c55932", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b01647922d2b393fd705bf7fd68fbe10ccdffdc4", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/BpfNetMaps.java", "function": "dump" }, "signature_type": "Function" }, { "digest": { "length": 655.0, "function_hash": "269805055931110894272306853628336970479" }, "id": "ASB-A-193031925-beed2eaa", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/e1a82cc1cc04ed49f022825010316cde7758c2fb", "deprecated": false, "signature_version": "v1", "target": { "file": "bpf_progs/netd.c", "function": "bpf_owner_match" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "267266255986084996418152716196166959853", "124242450393677592957686922939239799854", "335038074653549443945447580964593076906", "36229408312139438614336985852660763285", "285277060272576420942809046496090697395", "251398443280562860613670557048894234277", "335812561470128293024460145244819827171", "237809051013759711678618649544164577565", "52509999506855153502883526468763159295", "317743211794056732105524990511242555043", "303317792436256839526498859437399473835" ] }, "id": "ASB-A-193031925-c2d2845a", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/e1a82cc1cc04ed49f022825010316cde7758c2fb", "deprecated": false, "signature_version": "v1", "target": { "file": "bpf_progs/netd.c" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "226134191383026538262969682519339757761", "50279149356656828751651951699413882531", "289231389341777822089852558544515880324", "207460490131969610508150236689523784323", "13933914943177319080791160024887744741", "33266948455549414997984704915258359564", "110551508269987137141007359070046219773", "142987293468774137557237667079713568029", "217413774575641974751234671471159046892" ] }, "id": "ASB-A-193031925-fd7adfac", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/df163f70fd3f456604019072b796eaeab71418ae", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/ConnectivityService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "150473880920509290948070983272233813862", "189010890499757222159087155058604308982", "215921042932854431097924763226110827328", "103624088963394404958085799998221969450", "51563645968537273428200732116972214531", "154220941844311023065570104921697168872", "35718111119138841212806491591043655908", "258302992846226645514364679789300189163", "51710106137623154330768889369982190041", "58989877069094824435480631104470052798", "332123369572822765526694130854915720937", "240173159614821579497390024329786198382", "21259439805604528437514838724933217491", "125730351972237689447664245148113535852", "108401865162896129432012262518655999229", "147056614198855852010287378973563141634", "242635297357544322317029678344939836778", "292640781364859245410492800411122918648", "1800973481082263996224355083753908957", "264768980260759113810087451519927732813", "189450300707062753134640199772999949596", "236004993434610419928482208626700346489", "11397079966133779073168753464830827394", "196263637081896321818465901768208609511", "121160607422030331120526197863048344471", "217725915925458207342626025082725914792", "78807721963990328871567407097894683527", "278561272021556870119176177062901095341", "299566938902388647404629553490522926206", "266892429143297408172100225223930220491", "218707510969004177560912589312153605465", "335985879538993719748212060336181538642", "116590524372468238955868765864637246340", "187010671432305735155385839492596348295", "22776378007126597811304282364779404027", "185568419151863323460824046114802193160", "134119286321296833610564762066230156148", "7376901209399032738744281542658744411", "86476710372541921658997755805515790395", "201971243766074596452731591140778961643", "112139293503503909951776767753986367517" ] }, "id": "ASB-A-193031925-ff0eda51", "source": "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b01647922d2b393fd705bf7fd68fbe10ccdffdc4", "deprecated": false, "signature_version": "v1", "target": { "file": "service/src/com/android/server/BpfNetMaps.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Connectivity/+/d493a3aa7dcca3219b139616c9de3c6ee8181f86", "https://android.googlesource.com/platform/packages/modules/Connectivity/+/5441470a6a04f36369ec79c3eff3a72fc47ca9e3", "https://android.googlesource.com/platform/packages/modules/Connectivity/+/df163f70fd3f456604019072b796eaeab71418ae", "https://android.googlesource.com/platform/packages/modules/Connectivity/+/e1a82cc1cc04ed49f022825010316cde7758c2fb", "https://android.googlesource.com/platform/packages/modules/Connectivity/+/9024892db8de73eea86967880b0cfa4470db079f", "https://android.googlesource.com/platform/packages/modules/Connectivity/+/b01647922d2b393fd705bf7fd68fbe10ccdffdc4" ], "spl": "2025-01-01", "severity": "High", "types": [ "ID" ] }