In alac decoder, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06064258; Issue ID: ALPS06064237.
{"thn": [{"lastseen": "2022-05-09T12:39:26", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi4npQa24RB84rtY0DKjPVo0tfmkYbBC8DgF_56JlvkZkt1idxNF4HvL-yTF9xIQsyT_M-7Ja6HB-9QRIL1Fgs-qUzJnaB6uZg77-lsQgaQwrrKHYuJUSkXsLJID2mWej_KjeK_D2KC6Yga1FSA97FDLr_7Fa-PPjsYRaYKY36sq3rc8MMxjgydqXlx/s728-e100/android.jpg>)\n\nThree security vulnerabilities have been disclosed in the audio decoders of Qualcomm and MediaTek chips that, if left unresolved, could allow an adversary to remotely gain access to media and audio conversations from affected mobile devices.\n\nAccording to Israeli cybersecurity company [Check Point](<https://blog.checkpoint.com/2022/04/21/largest-mobile-chipset-manufacturers-used-vulnerable-audio-decoder-2-3-of-android-users-privacy-around-the-world-were-at-risk/>), the issues could be used as a launchpad to carry out remote code execution (RCE) attacks simply by sending a specially crafted audio file.\n\n\"The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera,\" the researchers said in a report shared with The Hacker News.\n\n\"In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.\"\n\nThe vulnerabilities, dubbed ALHACK, are rooted in an audio coding format originally developed and open-sourced by Apple in 2011. Called the Apple Lossless Audio Codec ([ALAC](<https://en.wikipedia.org/wiki/Apple_Lossless_Audio_Codec>)) or Apple Lossless, the audio codec format is used for lossless data compression of digital music.\n\nSince then, several third-party vendors, including Qualcomm and MediaTek, have incorporated the Apple-supplied reference audio codec implementation as the basis for their own audio decoders.\n\nAnd while Apple has consistently patched and remediated security flaws in its proprietary version of ALAC, the open-sourced variant of the codec has not received a single update since it was [uploaded to GitHub](<https://github.com/macosforge/alac>) 11 years ago on October 27, 2011.\n\nThe vulnerabilities discovered by Check Point relate to this ported ALAC code, two of which have been identified in [MediaTek](<https://corp.mediatek.com/product-security-bulletin/December-2021>) processors and one in [Qualcomm](<https://www.qualcomm.com/company/product-security/bulletins/december-2021-bulletin>) chipsets -\n\n * [**CVE-2021-0674**](<https://nvd.nist.gov/vuln/detail/CVE-2021-0674>) (CVSS score: 5.5, MediaTek) - A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction\n * [**CVE-2021-0675**](<https://nvd.nist.gov/vuln/detail/CVE-2021-0675>) (CVSS score: 7.8, MediaTek) - A local privilege escalation flaw in ALAC decoder stemming from out-of-bounds write\n * [**CVE-2021-30351**](<https://nvd.nist.gov/vuln/detail/CVE-2021-30351>) (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of number of frames being passed during music playback\n\nIn a proof-of-concept exploit devised by Check Point, the vulnerabilities made it possible to \"steal the phone's camera stream,\" said security researcher Slava Makkaveev, who is credited with discovering the flaws alongside Netanel Ben Simon.\n\nFollowing responsible disclosure, all the three vulnerabilities were closed by the respective chipset manufacturers in December 2021.\n\n\"The vulnerabilities were easily exploitable,\" Makkaveev explained. \"A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T10:18:00", "type": "thn", "title": "Critical Chipset Bugs Open Millions of Android Devices to Remote Spying", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-0674", "CVE-2021-0675", "CVE-2021-30351"], "modified": "2022-04-22T03:36:35", "id": "THN:09E65EDFC1DB5C485799EA458EA154E0", "href": "https://thehackernews.com/2022/04/critical-chipset-bug-opens-millions-of.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2021-0674
