Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn

android security update

The zero-day vulnerability could enable privilege escalation, and is not part of Google’s Android September security update.

UPDATE

Researchers are warning of a high-severity zero-day vulnerability in Google’s Android operating system, which if exploited could give a local attacker escalated privileges on a target’s device.

The specific flaw exists within the v4l2 (Video4Linux 2) driver, which is the Android media driver. When exploited, a component within the v4l2 “does not validate the existence of an object prior to performing operations on the object,” according to researchers with Zero Day Initiative (ZDI). Researchers said an attacker with physical access to the Android device could leverage the flaw to escalate privileges in the context of the kernel, which typically allows an attacker to take control of the targeted device.

“An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability,” according to ZDI researchers who discovered the flaw and publicly disclosed the bug on Wednesday,

The vulnerability scores 7.8 out of 10 on the CVSS scale, making it high-severity. According to Brian Gorenc, director of Trend Micro’s Zero Day Initiative (ZDI) program, an attacker would need to convince a user to install and run their specially crafted application.

“In the unlikely event an attacker succeeds in exploiting this bug, they would effectively have complete control over the target device,” he told Threatpost. Once an attacker obtains escalated privileges, “it means they could completely take over a device if they can convince a user to install and run their application,” he said.

Researchers first discovered and reported the flaw on March 13, 2019. On Wednesday, the coordinated advisory was publicly released. Google did not immediately respond to a request for comment from Threatpost regarding any future patch for the flaw.

When Google was first contacted by ZDI regarding the vulnerability, “the vendor confirmed the vulnerability would be fixed, but did not provide an estimated time frame,” according to ZDI’s advisory.

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service,” said researchers. “Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

The disclosure of the vulnerability comes the same week as Google released its September Android Security Bulletin, which fixes for two critical remote code execution vulnerabilities in the media framework of its Android operating system. However, the zero-day is being disclosed separately from the bulletin and currently does not have a patch, a spokesperson with ZDI told Threatpost.

On Tuesday, Google released fixes for two critical remote code execution vulnerabilities in the media framework of its Android operating system. These flaws could allow a remote attacker to execute arbitrary code.

Google’s September Android Security Bulletin also reported that it deployed fixes for 13 critical and high-severity vulnerabilities. For its part, Qualcomm, whose chips are used in Android devices, also patched 31 vulnerabilities, according to the bulletin, while Nvidia fixed three.

“The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2019-09-05 or later address all of these issues,” according to Google’s Tuesday bulletin. “The most severe of these issues is a critical security vulnerability in the Media framework component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”

The two critical flaws (CVE-2019-2176, CVE-2019-2108) exist in Android’s Media framework. This framework includes support for playing variety of common media types, so that users can easily utilize audio, video and images.

The flaws “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to Google.

Google also released fixes for five high-severity vulnerabilities in its framework, including four elevation of privilege bugs (CVE-2019-2123, CVE-2019-2174, CVE-2019- 2175, CVE-2019- 9254) and one information disclosure flaw (CVE-2019-2103). Also patched were six high-severity flaws in the Android operating system, including a remote code execution vulnerability (CVE-2019-2177), two elevation of privilege glitches (CVE-2019- 2115, CVE-2019- 2178) and three information disclosure bugs (CVE-2019-2179, CVE-2019- 2180, CVE-2019- 2124).

Google also patched 21 CVEs related to Qualcomm and Nvidia components, which are used in Android devices.

The most severe Qualcomm component flaws were two critical vulnerabilities in closed-source components (CVE-2019-10533 and CVE-2019-2258). Also patched were high-severity flaws in Qualcomm’s LK bootloader, audio, kernel, graphics driver and WLAN HOST components.

Three high-severity flaws were also patched in Nvidia components, including two elevation of privilege flaws in the BootROM component (CVE-2018-6240,CVE-2018-6240) and an information disclosure glitch in the ARM Trusted Firmware (CVE-2017-5715).

Manufacturers of Android devices push out their own patches to address the September updates in tandem with or after the Google Security Bulletin.

Samsung said in a security alert it is releasing a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process – including patches from Google. That includes one of the critical remote code execution flaws (CVE-2019-2176) in Media Framework and a high-severity elevation of privilege flaw (CVE-2019-2123) in Framework.

And, LG said in a Security Maintenace Release: “LGE is releasing a set of patches as part of Android Security Bulletin Monthly Release process. The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”

The patch update comes a week after Google fixed a high-severity vulnerability in its Chrome browser, which could enable remote attackers to execute code and carry out other malicious attacks. In August, Google came into the security spotlight also when security researchers from Tencent’s Blade Team warned of Android smartphone and tablet users of flaws in Qualcomm chipsets, called QualPwn. The bugs collectively allowed hackers to compromise Android devices remotely simply by sending malicious packets over-the-air – no user interaction required.

This article was updated on Sept. 5 at 11 am ET with further comments from ZDI. 

Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join Threatpost senior editor Tara Seals and experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.

Suggested articles