Higher-Severity Android RCE Flaw Fixed in August Security Update

Google has introduced patches addressing a higher-severity issue in its Framework component, which if exploited could enable distant code execution (RCE) on Android cellular devices.

In general, 54 large-severity flaws were being patched as aspect of Google’s August security updates for the Android running program, released on Monday. As part of this, Qualcomm, whose chips are made use of in Android devices, patched a combine of higher and critical-severity vulnerabilities tied to 31 CVEs.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The RCE flaw, the most really serious of these flaws, exists in the Android Framework, which is a established of APIs – consisting of program equipment and user interface design instruments – that enable developers to speedily and very easily produce apps for Android telephones.

The flaw (CVE-2020-0240) “could permit a distant attacker working with a specially crafted file to execute arbitrary code within the context of an unprivileged method,” according to Google’s security bulletin. It has been dealt with for devices managing on edition 10 of the Android running method.

Other higher-severity flaws in the Framework contain two elevation-of-privilege (EoP) vulnerabilities (CVE-2020-0238 and CVE-2020-0257), three information disclosure glitches (CVE-2020-0239, CVE-2020-0249 and CVE-2020-0258) and a Denial-of-Service (DoS) flaw (CVE-2020-0247).

Google also produced fixes for a few large-severity flaws in Android’s Media framework, which consists of aid for enjoying a wide variety of frequent media kinds, so that consumers can simply use audio, video clip and photographs. The issues (CVE-2020-0241, CVE-2020-0242, CVE-2020-0243) are EoP flaws.

Also preset were being four higher-severity flaws in the Android Procedure area, which includes two EoP issues (CVE-2020-0108 and CVE-2020-0256) and two information and facts disclosure glitches (CVE-2020-0248 and CVE-2020-0250). These “could help a local destructive software to bypass consumer interaction demands in purchase to achieve accessibility to added permissions,” in accordance to Google.

Parts

Google also rolled out patches for flaws in numerous 3rd-party factors in its Android ecosystem. One this kind of flaw (CVE-2020-0259) exists in a part by AMLogic, which is a organization that models and sells SoC (Procedure on Chip) integrated circuits. The certain compent is dm-verity, which allows reduce persistent rootkits that can maintain onto root privileges and compromise devices. This EoP flaw could permit a “local attacker using a specifically crafted file to execute arbitrary code inside the context of a privileged method,” according to Google.

Numerous flaws were also set in the Kernel factors utilised in Android, which includes an EoP flaw (CVE-2020-0255) in the SELinux element and one particular (CVE-2020-12464) in the Linux USB Subsystem as very well as an information disclosure flaw (CVE-2019-16746) in the Linux Wireless Subsystem.

Also set had been quite a few MediaTek factors affecting the Multimedia Processing Driver, which bolsters the processing of media like video clip. These consist of three substantial-severity EoP flaws (CVE-2020-0252, CVE-2020-0253, CVE-2020-0260) and two details disclosure glitches (CVE-2020-0251 and CVE-2020-0254).

Eventually, 31 critical and large-severity flaws have been resolved in Qualcomm components, which include a critical flaw in the WLAN (CVE-2020-11116) element and 5 critical flaws patched (CVE-2019-10562, CVE-2019-10615, CVE-2019-13998, CVE-2020-3619 and CVE-2020-3667) in “closed-supply parts.”

Maker Updates

Makers of Android devices normally press out their have patches to handle updates in tandem with or just after the Google Security Bulletin. Samsung claimed in an August security upkeep release that it is releasing many of the Android security bulletin patches, including those addressing critical flaws, CVE-2020-3699 and CVE-2020-3698, to significant Samsung versions. And, a bulletin claimed, a security update for Pixel units, which operate on Google’s Android functioning technique, is “coming soon.”

Android has faced several security issues in the previous. In July, scientists uncovered that Android customers had been qualified by cellular malware or cellular adware and experienced a method partition an infection, building the destructive data files practically undeletable. And in June, Google has dealt with two critical flaws in its newest regular Android update that enable remote code execution (RCE) on Android mobile products.

Complimentary Threatpost Webinar: Want to master more about Private Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings leading cloud-security gurus from Microsoft and Fortanix together to examine how Confidential Computing is a game changer for securing dynamic cloud knowledge and blocking IP publicity. Sign up for us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software package architect, Microsoft and Dr Richard Searle, security architect, Fortanix – the two with the Confidential Computing Consortium. Register Now.