The Hacker NewsTHN:37E4ECDE5CC5E074EC9FD4DF79D85121Google Warns of New Android 0-Day Vulnerability Under Active Targeted Attacks
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks.
Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation. Use-after-free issues are dangerous as it could enable a threat actor to access or referencing memory after it has been freed, leading to a βwrite-what-whereβ condition that results in the execution of arbitrary code to gain control over a victimβs system.
βThere are indications that CVE-2021-1048 may be under limited, targeted exploitation,β the company noted in its November advisory without revealing technical details of the vulnerability, the nature of the intrusions, and the identities of the attackers that may have abused the flaw.
Also remediated in the security patch are two critical remote code execution (RCE) vulnerabilities β CVE-2021-0918 and CVE-2021-0930 β in the System component that could allow remote adversaries to execute malicious code within the context of a privileged process by sending a specially-crafted transmission to targeted devices.
Two more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV (CVE-2021-0889) could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required.
With the latest round of updates, Google has addressed a total of six zero-days in Android since the start of the year β
- CVE-2020-11261 (CVSS score: 8.4) - Improper input validation in Qualcomm Graphics component
- CVE-2021-1905 (CVSS score: 8.4) - Use-after-free in Qualcomm Graphics component
- CVE-2021-1906 (CVSS score: 6.2) - Detection of error condition without action in Qualcomm Graphics component
- CVE-2021-28663 (CVSS score: 8.8) - Mali GPU Kernel Driver allows improper operations on GPU memory
- CVE-2021-28664 (CVSS score: 8.8) - Mali GPU Kernel Driver elevates CPU RO pages to writable
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C