In addOrUpdateNetwork of WifiServiceImpl.java, there is a possible way for a guest user to configure Wi-Fi due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1938.0, "function_hash": "293594231454106066202648911088914014586" }, "id": "ASB-A-221859734-0f842235", "source": "https://android.googlesource.com/platform/packages/modules/Wifi/+/737e26535baeb007b9034f581b4616699b05725f", "deprecated": false, "signature_version": "v1", "target": { "file": "service/java/com/android/server/wifi/WifiServiceImpl.java", "function": "addOrUpdateNetwork" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "106075586204482335038976748081962302294", "50254125161359841256617685321503778893", "134973327598480085166434995507770650837", "28813555467455531340252744248365923111", "225435854086273964432355916192461277807", "82043909163773608070549931900080330595", "129469515357280746322246128026138082303", "289452559497219223745714617889368962341", "37334760508184369337165119594598746289", "129355241784036593595292419231383845311", "225255828251713566110152665276759195922", "74477090221252033040801604394725016148", "245245506821984838658377438735566823394", "133659126509778478122343584755180096842", "148885302954478283238374509563882639897", "257186594853830201459088892786358004881", "278417732000440066771118080832195917380", "214299252086930989744352307881169018017", "70759636909357249512516047906321604701", "242034345642079937495221304327996039587", "232221736637048000480626678019606874799", "231331281647827883607709863219391449970" ] }, "id": "ASB-A-221859734-2d674781", "source": "https://android.googlesource.com/platform/packages/modules/Wifi/+/737e26535baeb007b9034f581b4616699b05725f", "deprecated": false, "signature_version": "v1", "target": { "file": "service/java/com/android/server/wifi/WifiServiceImpl.java" }, "signature_type": "Line" }, { "digest": { "length": 70.0, "function_hash": "86098240229774875250991448927674820235" }, "id": "ASB-A-221859734-96bc66c0", "source": "https://android.googlesource.com/platform/packages/modules/Wifi/+/737e26535baeb007b9034f581b4616699b05725f", "deprecated": false, "signature_version": "v1", "target": { "file": "service/java/com/android/server/wifi/util/WifiPermissionsUtil.java", "function": "getCurrentUser" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "215906072357966659079777844652605955098", "123427533635257855312621267060376553090", "284278039488370649357553090113176000535", "117240947406735192951363986640445889294", "12720297399195096143680386400694880430", "210018469119573588783296958352348880318" ] }, "id": "ASB-A-221859734-9bbf9900", "source": "https://android.googlesource.com/platform/packages/modules/Wifi/+/737e26535baeb007b9034f581b4616699b05725f", "deprecated": false, "signature_version": "v1", "target": { "file": "service/java/com/android/server/wifi/util/WifiPermissionsUtil.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Wifi/+/737e26535baeb007b9034f581b4616699b05725f" ], "spl": "2022-09-01", "severity": "High", "types": [ "EoP" ] }