Participants in the Google project Zero Day Initiative (ZDI) published details of a 0-day vulnerability that could allow local privilege escalation in Android.
According to the description in the ZDI blog, a dangerous vulnerability is present in the v4l2 driver (Video4Linux 2), which provides the possibility of audio and video capture for a Linux family of OS. As it turned out, this API “does not verify its existence until operations are performed on the object.”As a result, if you have physical access to the Android device, an attacker can increase privileges in the context of the kernel and take control of the system.
“To exploit the vulnerability, the attacker must be able to execute low privilege code on the target system”, — the researchers write.
Details of the code and how the attack is conducted is not reported. The severity of the vulnerability is rated at 7.8 on a CVSS scale.
A report on it was submitted to Google almost six months ago, in mid-March. The developer confirmed the vulnerability and promised to prepare a patch, although the timing of its release is not assigned. Since the patch never appeared, the researchers decided to unveil a dangerous find.
“Given the nature of the vulnerability, the only salvation so far is to limit interaction with the service. You can only allow it for clients and servers associated with it with legitimate procedures. This restriction can be introduced in a variety of ways, in particular using firewall rules or whitelisting”, – say ZDI researchers.
This vulnerability was released after the publication of the next set of patches for Android. Unfortunately, there was no necessary patch in it again.
On Tuesday, September 3, Google announced the removal of 15 dangerous bugs in its OS for mobile devices. Among others, two critical vulnerabilities of remote code execution in the multimedia libraries included in the Media framework were patched. According to the developer’s bulletin, the operation of CVE-2019-2176 and CVE-2019-2108 allows using a specially created file to execute arbitrary code in the context of a privileged process.
The components of the Framework are closed five high-risk vulnerabilities; four of them threaten privilege escalation, one – disclosure of confidential information. Five similar bugs were announced in System; the sixth (CVE-2019-2177) allowed remotely execute any code in the system.
The new Google newsletter also informs users about the elimination of two vulnerabilities in the components of NVIDIA production and about three dozen in Qualcomm products. Concerning the latter, the most dangerous for Android are CVE-2019-10533 and CVE-2019-2258 that were contained in closed-source components.
“LGE has released a set of patches as part of the monthly Android security update program. Of the fixed vulnerabilities, the most serious is a critical bug in the Media framework”, – said LG company.
September updates for Android devices at the same time announced by Samsung. A new patch set covers the vulnerabilities mentioned in the Google Newsletter, as well as a dozen bugs specific to Samsung products.