Patch on chip

Android vulnerabilities could allow arbitrary code execution

Several vulnerabilities have been patched in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. None of the vulnerabilities have been spotted in the wild.

Operating systems contain and manage all the programs and applications that a computer or mobile device is able to run. The Android OS was developed by Google for mobile devices like smartphones, tablets, smart watches, and more, and it’s installed on more than 70 percent of the world’s mobile phones.

Google’e latest security update for Android patched 42 vulnerabilities. Four of them received the label “critical”, of which three affect Qualcomm components. Qualcomm is a US-based chip maker that specializes in semiconductors, software, and services related to wireless technology.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The critical Qualcomm vulnerabilities all relate to the WLAN component and have the following CVEs:

  • CVE-2022-25748 has a CVSS score of 9.8 out of 10 and could be exploited to trigger memory corruption leading to arbitrary code execution.
  • CVE-2022-25718 has a CVSS score of 9.1 out of 10 and could allow a remote attacker to perform a machine in the middle (MitM) attack.
  • CVE-2022-25720 has a CVSS score of 9.8 out of 10 and could allow a remote attacker to execute arbitrary code on an Android device by sending it send specially crafted traffic.

Looking at the three vulnerabilities listed above it seems that someone has taken a good look at the initial connection and authentication routines inn the Qualcomm WLAN firmware. All three vulnerabilities seem to lie in the initial stages of a connection.

The Group temporal key is used to encrypt all broadcast and multicast traffic between an access point and multiple client devices. It is part of the four-way handshake between an access point and the client device to generate some encryption keys which can be used to encrypt actual data sent over wireless.

The other critical vulnerability is listed as CVE-2022-20419 is a vulnerability in Framework that could lead to local escalation of privilege (EoP) with no additional execution privileges needed. In the bug description we can find that any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. The ActivityManager allows developers to retrieve information about the device the app is running on, like available memory, running processes, and tasks that the user has most recently started or visited.

Google’s updates will be rolled out for Android versions 10, 11, 12, 12L, and 13. Since some of the vulnerabilities are in suppliers’ software, not every device will need all the patches.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.