zero-day vulnerability, this time in the world’s most widely used
mobile operating system, Android.
What’s more? The Android zero-day vulnerability has also been
found to be exploited in the wild by the Israeli surveillance
vendor NSO Group—infamous for selling zero-day exploits to
governments—or one of its customers, to gain control of their
targets’ Android devices.
Discovered by Project Zero researcher Maddie Stone, the details
and a proof-of-concept exploit for the high-severity security
vulnerability, tracked as CVE-2019-2215, has been made public
today—just seven days after reporting it to the Android security
team.
The zero-day is a use-after-free vulnerability in the Android
kernel’s binder driver that can allow a local privileged attacker
or an app to escalate their privileges to gain root access to a
vulnerable device and potentially take full remote control of the
device.
Vulnerable Android Devices
The vulnerability resides in versions of Android kernel released
before April last year, a patch for which was included in the 4.14
LTS Linux kernel released in December 2017 but was only
incorporated in AOSP Android kernel versions 3.18, 4.4 and 4.9.
Therefore, most Android devices manufactured and sold by a
majority of vendors with the unpatched kernel are still vulnerable
to this vulnerability even after having the latest Android updates,
including below-listed popular smartphone models :
- Pixel 1
- Pixel 1 XL
- Pixel 2
- Pixel 2 XL
- Huawei P20
- Xiaomi Redmi 5A
- Xiaomi Redmi Note 5
- Xiaomi A1
- Oppo A3
- Moto Z3
- Oreo LG phones
- Samsung S7
- Samsung S8
- Samsung S9
To be noted, Pixel 3, 3 XL, and 3a devices running the latest
Android kernels are not vulnerable to the issue.
Android Flaw Can Be Exploited Remotely
According to the researcher, since the issue is “accessible from
inside the Chrome sandbox,” the Android kernel zero-day
vulnerability can also be exploited remotely by combining it with a
separate Chrome rendering flaw.
“The bug is a local privilege escalation vulnerability that
allows for a full compromise of a vulnerable device. If the exploit
is delivered via the Web, it only needs to be paired with a
renderer exploit, as this vulnerability is accessible through the
sandbox,” Stone says[1] in the Chromium
blog.
“I’ve attached a local exploit proof-of-concept to demonstrate how
this bug can be used to gain arbitrary kernel read/write when
running locally. It only requires the untrusted app code execution
to exploit CVE-2019-2215. I’ve also attached a screenshot
(success.png) of the POC running on a Pixel 2, running Android 10
with security patch level September 2019.”
Patches to be Made Available Soon
Though Google will release a patch for this vulnerability in its
October’s Android Security Bulletin in the coming days and also
notified OEMs, most affected devices would not likely receive the
patch immediately, unlike Google Pixel 1 and 2.
“This issue is rated as High severity on Android and by itself
requires installation of a malicious application for potential
exploitation. Any other vectors, such as via web browser, require
chaining with an additional exploit,” the Android security team
said in a statement.
“We have notified Android partners, and the patch is available on
the Android Common Kernel. Pixel 3 and 3a devices are not
vulnerable while Pixel 1 and 2 devices will be receiving updates
for this issue as part of the October update.”
90-day deadline to fix the issue in their affected products before
going public with the details and PoC exploits, but in case of
active exploits, the team goes public after seven days of privately
being reported.
What’s your take? Although this vulnerability is severe and can
be used to gain root access to an Android device, users need not
worry that much as the exploitation of such issues is mostly
limited to targeted attack scenarios.
Nevertheless, it’s always a good idea to avoid downloading and
installing apps from third-party app stores and any unnecessary
apps, even from the Google Play Store.
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/1XJRAKncBS0/android-kernel-vulnerability.html
