Google has issued security patches for the Android Operating System. In total, the patches address 39 vulnerabilities. There are indications that one of the patched vulnerabilities may be under limited, targeted exploitation.

The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

Let’s have a closer look at the vulnerabilities that might seem interesting from a cybercriminal’s perspective.

The zero-day

Google has issued a patch for a possibly actively exploited zero-day vulnerability in the Android kernel. The vulnerability that got listed under CVE-2021-1048, could allow an attacker with limited access to a device, for example through a malicious app, to elevate his privileges (EoP). Further details about this vulnerability have not been provided by Google, except that it is caused by a use-after-free (UAF) weakness and that it may be under limited, targeted exploitation.

Use after free is a vulnerability caused by incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. In this case that means they could run malicious code with the permissions granted to the legitimate program.

Android TV

The most severe vulnerability in the Android TV could enable a proximate attacker to silently pair with a TV and execute arbitrary code with no privileges or user interaction required. This vulnerability, listed under CVE-2021-0889, lies in Android TV’s remote service component.

CVE-2021-0918 and CVE-2021-0930

In the System section of the security bulletin we can find two Remote Code Execution (RCE) vulnerabilities that are rated as Critical. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

The most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. At this point it is unclear whether this description applies to CVE-2021-0913 or CVE-2021-0930 since both are listed as critical RCE’s.

No more details were provided, but Google has used the description “a specially crafted transmission” for Bluetooth vulnerabilities in the past.

Chipsets

Besides vulnerabilities in the Android code, Google has fixed vulnerabilities introduced by some of the chipset manufacturers that Android uses. This round we spotted MediaTek and Qualcomm closed-source components. Two of the vulnerabilities in the Qualcomm software are listed as CVE-2021-1924 and CVE-2021-1975, and have been listed as critical. The severity assessment of these issues is provided directly by Qualcomm.

CVE-2021-1975 is located in the data-modem and can be used remotely. It is a possible heap overflow due to improper length check of domain while parsing the DNS response. This vulnerability got a CVSS rating of 9.8.  

Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

Android patch levels

Security patch levels of 2021-11-06 or later address all of these issues. To learn how to check a device’s security patch level, see Check and update your Android version.

Google releases at least two patch levels each month, and for November, they are 2021-11-01, 2021-11-05, and 2021-11-06.

For those who see an update alert marked as 2021-11-01, it means that they will get the following:

  • November framework patches
  • October framework patches
  • October vendor and kernel

Those who see either 2021-11-05 or 2021-11-06 patch levels will receive all of the above, plus the November vendor and kernel patches.

Stay safe, everyone!