Google has released patches addressing a high-severity issue in its Framework component, which if exploited could enable remote code execution (RCE) on Android mobile devices.
Overall, 54 high-severity flaws were patched as part of Google’s August security updates for the Android operating system, released on Monday. As part of this, Qualcomm, whose chips are used in Android devices, patched a mix of high and critical-severity vulnerabilities tied to 31 CVEs.
The RCE flaw, the most serious of these flaws, exists in the Android Framework, which is a set of APIs – consisting of system tools and user interface design tools – that allow developers to quickly and easily write apps for Android phones.
The flaw (CVE-2020-0240) “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process,” according to Google’s security bulletin. It has been addressed for devices running on version 10 of the Android operating system.
Other high-severity flaws in the Framework include two elevation-of-privilege (EoP) vulnerabilities (CVE-2020-0238 and CVE-2020-0257), three information disclosure glitches (CVE-2020-0239, CVE-2020-0249 and CVE-2020-0258) and a Denial-of-Service (DoS) flaw (CVE-2020-0247).
Google also released fixes for three high-severity flaws in Android’s Media framework, which includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. The issues (CVE-2020-0241, CVE-2020-0242, CVE-2020-0243) are EoP flaws.
Also fixed were four high-severity flaws in the Android System area, including two EoP issues (CVE-2020-0108 and CVE-2020-0256) and two information disclosure glitches (CVE-2020-0248 and CVE-2020-0250). These “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions,” according to Google.
Components
Google also rolled out patches for flaws in various third-party components in its Android ecosystem. One such flaw (CVE-2020-0259) exists in a component by AMLogic, which is a company that designs and sells SoC (System on Chip) integrated circuits. The specific compent is dm-verity, which helps prevent persistent rootkits that can hold onto root privileges and compromise devices. This EoP flaw could enable a “local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to Google.
Several flaws were also fixed in the Kernel components used in Android, including an EoP flaw (CVE-2020-0255) in the SELinux component and one (CVE-2020-12464) in the Linux USB Subsystem; as well as an information disclosure flaw (CVE-2019-16746) in the Linux Wireless Subsystem.
Also fixed were several MediaTek components affecting the Multimedia Processing Driver, which bolsters the processing of media like video. These include three high-severity EoP flaws (CVE-2020-0252, CVE-2020-0253, CVE-2020-0260) and two information disclosure glitches (CVE-2020-0251 and CVE-2020-0254).
Finally, 31 critical and high-severity flaws were addressed in Qualcomm components, including a critical flaw in the WLAN (CVE-2020-11116) component and five critical flaws patched (CVE-2019-10562, CVE-2019-10615, CVE-2019-13998, CVE-2020-3619 and CVE-2020-3667) in “closed-source components.”
Manufacturer Updates
Manufacturers of Android devices typically push out their own patches to address updates in tandem with or after the Google Security Bulletin. Samsung said in an August security maintenance release that it is releasing several of the Android security bulletin patches, including those addressing critical flaws, CVE-2020-3699 and CVE-2020-3698, to major Samsung models. And, a bulletin said, a security update for Pixel devices, which run on Google’s Android operating system, is “coming soon.”
Android has faced various security issues in the past. In July, researchers discovered that Android users were targeted by mobile malware or mobile adware and suffered a system partition infection, making the malicious files virtually undeletable. And in June, Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution (RCE) on Android mobile devices.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.
