Two Critical Android Bugs Open Door to RCE

栏目: IT技术 · 发布时间: 4年前

内容简介:Google and Qualcomm both addressed significant vulnerabilities in their June updates.Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution (RCE) on Android mobile devices.The critical bugs (CVE-2020-

Google and Qualcomm both addressed significant vulnerabilities in their June updates.

Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution (RCE) on Android mobile devices.

The critical bugs (CVE-2020-0117 and CVE-2020-8597) exist in the Android System area, and would allow a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. They affect Android versions 8 to Android 10.

“Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of a privileged process,” according to a related advisory from the Multi-State Information Sharing and Analysis Center (MS-ISAC), sent via email. “These vulnerabilities could be exploited through multiple methods such as email, web browsing and MMS when processing media files.”

Two Critical Android Bugs Open Door to RCE

Depending on the privileges associated with the application, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights.

The other flaws affecting System are two high-severity information-disclosure issues affecting Android 10 (CVE-2020-0116 and CVE-2020-0119) – and Google offered no technical details on them.

The June security updates also address high-severity bugs in other areas, including the Android Framework. These include an elevation-of-privilege (EoP) bug (CVE-2020-0114) in Android 10 that “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions,” according to the security bulletin , issued on Monday.

Meanwhile, Google also patched CVE-2020-0115, an EoP bug in Android 8 to Android 10; and CVE-2020-0121, an information-disclosure bug in Android 10.

There are also two patches for the Android Media Framework, including CVE-2020-0118, which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions; it affects Android 10. The other is an information disclosure bug (CVE-2020-0113) affecting Android 9 and 10.

And finally, there are three high-severity security bugs in Android’s kernel components. The most severe of them (CVE-2020-8647) could enable a local attacker using a specially crafted application to execute arbitrary code within the context of a privileged process. The other two (CVE-2020-8648 and CVE-2020-8428) are also listed as high-severity.

Google also updated the advisories for two older bugs: CVE-2019-2219, affecting Framework for Android 8 to Android 10, could enable a local malicious application to bypass operating system protections that isolate application data from other applications; and an EoP vulnerability in System (CVE-2019-9460) could enable a remote attacker to bypass user interaction requirements in order to gain access to additional permissions.

In all, June is a fairly light monthly bulletin; last month’s Android updates addressed 39 vulnerabilities.

There were also patches issued this week to address multiple vulnerabilities in Qualcomm closed-source and general components used in Android devices.

Two of the bugs are critical and can be remotely exploited; they both exist in the data-modem area of Qualcomm’s mobile chips.

The flaw tracked as CVE-2019-14073 arises because the system buffers copy without checking the size of the input in the modem data, according to Qualcomm’s advisory .

“Copying [real-time transport protocol control protocol] RTCP messages into the output buffer without checking the destination buffer size which could lead to a remote stack overflow when processing large data or non-standard feedback messages,” according to the silicon-maker.

Also, CVE-2019-14080 stems from improper validation of the array index in the modem data, having to do with power transmission in the chipset:

“Out of bound write can happen due to lack of check of array index value while parsing [session description protocol] SDP attribute for [specific absorption rate] SAR,” Qualcomm said.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET , join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami . Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.


以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

程序的力量

程序的力量

甄贞 / 法律出版社 / 2002-3 / 21.00元

本书所谈及的话题概括了刑诉法学研究领域的方方面面,既有对每性、广泛性、前瞻性的宏观学科前沿问题的把握;又有实践性、直观性、详细性的个案分析和具体程序操作问题之探讨等。一起来看看 《程序的力量》 这本书的介绍吧!

XML、JSON 在线转换
XML、JSON 在线转换

在线XML、JSON转换工具

HEX CMYK 转换工具
HEX CMYK 转换工具

HEX CMYK 互转工具

HSV CMYK 转换工具
HSV CMYK 转换工具

HSV CMYK互换工具