a series of patches on a black background

Update Android now! Two critical vulnerabilities patched

The March security updates for Android include fixes for two critical remote code execution (RCE) vulnerabilities impacting Android systems running versions 11, 12, 12L, and 13. Users should update as soon as they can.

The March 2023 Android Security Bulletin contains the details of the security vulnerabilities affecting Android devices. Security patch levels of 2023-03-05 or later address all of these issues.

That means, if your Android phone is at patch level 2023-03-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 11, 12, and 13.

Android partners are notified of all issues at least a month before publication. However, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your Android’s version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that deal with RCE vulnerabilities which were patched in these updates are:

CVE-2023-20951 and CVE-2023-20954: both are critical RCE vulnerabilities in the System component. The most severe vulnerability could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2022-33213 and CVE-2022-33256 are vulnerabilities in Qualcomm closed-source components that could allow for remote code execution. CVE-2022-33213 is a memory corruption vulnerability in a modem due to buffer overflow while processing a PPP packet. And CVE-2022-33256 is a memory corruption vulnerability due to the improper validation of an array index in a Multi-mode call processor.

Google only sparingly gives out details about vulnerabilities, so everyone gets a chance to patch before cybercriminals can start abusing the vulnerabilities in attacks. But there are some pointers in the descriptions of the vulnerabilities.

Memory corruption vulnerabilities are vulnerabilities that may occur in a computer system when its memory is altered without an explicit assignment. The contents of a memory location are modified due to programming errors which enable attackers to execute arbitrary code.

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

PPP is commonly used as a data link layer protocol between two routers directly without any host or any other networking in between.

One other vulnerability that grabbed my attention was CVE-2021-33655 a vulnerability that occurs when sending malicious data to kernel by ioctl cmd FBIOPUT_VSCREENINFO, kernel will write memory out of bounds. It jumped out not just because it was reported in 2021 but also because the security bulletin discloses that it is an elevation of privacy (EoP) vulnerability in the Kernel that could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

A little digging revealed that a user with access to a framebuffer console driver could cause a memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl. The ioctl is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. The fix for this vulnerability was to prevent switching to screen resolutions which are smaller than the font size, and to prevent enabling a font which is bigger than the current screen resolution. This seems trivial, but it goes to show how many details go into safe coding.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.