Two Critical Android Bugs Open Door to RCE

Google and Qualcomm both addressed significant vulnerabilities in their June updates.

Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution (RCE) on Android mobile devices.

The critical bugs (CVE-2020-0117 and CVE-2020-8597) exist in the Android System area, and would allow a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. They affect Android versions 8 to Android 10.

“Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of a privileged process,” according to a related advisory from the Multi-State Information Sharing and Analysis Center (MS-ISAC), sent via email. “These vulnerabilities could be exploited through multiple methods such as email, web browsing and MMS when processing media files.”

Depending on the privileges associated with the application, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights.

The other flaws affecting System are two high-severity information-disclosure issues affecting Android 10 (CVE-2020-0116 and CVE-2020-0119) – and Google offered no technical details on them.

The June security updates also address high-severity bugs in other areas, including the Android Framework. These include an elevation-of-privilege (EoP) bug (CVE-2020-0114) in Android 10 that “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions,” according to the security bulletin , issued on Monday.

Meanwhile, Google also patched CVE-2020-0115, an EoP bug in Android 8 to Android 10; and CVE-2020-0121, an information-disclosure bug in Android 10.

There are also two patches for the Android Media Framework, including CVE-2020-0118, which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions; it affects Android 10. The other is an information disclosure bug (CVE-2020-0113) affecting Android 9 and 10.

And finally, there are three high-severity security bugs in Android’s kernel components. The most severe of them (CVE-2020-8647) could enable a local attacker using a specially crafted application to execute arbitrary code within the context of a privileged process. The other two (CVE-2020-8648 and CVE-2020-8428) are also listed as high-severity.

Google also updated the advisories for two older bugs: CVE-2019-2219, affecting Framework for Android 8 to Android 10, could enable a local malicious application to bypass operating system protections that isolate application data from other applications; and an EoP vulnerability in System (CVE-2019-9460) could enable a remote attacker to bypass user interaction requirements in order to gain access to additional permissions.

In all, June is a fairly light monthly bulletin; last month’s Android updates addressed 39 vulnerabilities.

There were also patches issued this week to address multiple vulnerabilities in Qualcomm closed-source and general components used in Android devices.

Two of the bugs are critical and can be remotely exploited; they both exist in the data-modem area of Qualcomm’s mobile chips.

The flaw tracked as CVE-2019-14073 arises because the system buffers copy without checking the size of the input in the modem data, according to Qualcomm’s advisory .

“Copying [real-time transport protocol control protocol] RTCP messages into the output buffer without checking the destination buffer size which could lead to a remote stack overflow when processing large data or non-standard feedback messages,” according to the silicon-maker.

Also, CVE-2019-14080 stems from improper validation of the array index in the modem data, having to do with power transmission in the chipset:

“Out of bound write can happen due to lack of check of array index value while parsing [session description protocol] SDP attribute for [specific absorption rate] SAR,” Qualcomm said.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET , join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami . Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.