Google patched five critical bugs in its Android operating system as part of its February Security Bulletin. Two of the flaws were remote code execution vulnerabilities found within the Android media framework and system.
Three additional critical Qualcomm bugs were reported by Google and patched by Qualcomm – part of a separate security bulletin disclosure. One of those flaws (CVE-2020-11163) has a Common Vulnerability Scoring System (CVSS) rating of 9.8 out of 10. The bug is tied to the wireless local area network (WLAN) chip used for Wi-Fi communications.
In all, Google patched 22 vulnerabilities in the Android OS –15 of which included elevation-of-privilege (EOP) –class bugs. Another 22 security flaws were addressed by Qualcomm and impacted a range of device functions such as Wi-Fi radio, camera and device displays.
Patch Cadence and Disclosure
Over-the-air updates to the Android operating system and chipset firmware will be pushed to devices over the following days and weeks. Google’s own Pixel-device family typically receives the updates first with other device manufacturer handsets following. The technical details of the patched vulnerabilities are often not released until a majority of effected handsets have been patched.
The most severe of the critical bugs in the Android OS is a security vulnerability in the Media Framework component that allows for remote code execution (RCE), enabling a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process, according to Google. The bug is tracked as CVE-2021-0325, and received a “critical” rating on Android 8.1 and 9 but a “high” rating on Android 10, 11 and 12, the company said.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” according to the security bulletin.
The patch itself will be delivered in two parts, the first of which patches 20 vulnerabilities in the Android OS and the second which address 23 flaws found in the Android kernel and assorted components from Qualcomm, according to Google.
More Remote Code Execution Bugs
Also included in the update are patches for two additional bugs in the Media Framework, one tracked as CVE-2021-0332 that allows for privilege elevation on Android 10 and 11.
Another critical RCE bug, CVE-2021-0326, was found in the System component and could enable a remote attacker to use “a specially crafted transmission to execute arbitrary code within the context of a privileged process,” according to Google. It’s been updated for versions 8.1, 9,10 and 11 of the OS.
Five other vulnerabilities patched in the update for Android System all include EOP capability and have been updated for all versions of the OS from 8.1 upwards, the company said.
The update also patches 10 bugs found in Android Framework, nine of which include EOP capability and affect various versions of the OS. All of the Framework vulnerabilities received a “high” rating, according to the advisory.
Qualcomm Bugs: Also Patched
The other three bugs in the update with “critical” ratings affect Qualcomm components in Android. The most serious, based on public information, is tracked as CVE-2020-11272 (CVSS score 9.8) and affects the WLAN component.
Qualcomm describes the bug as an “improper validation of array index in data modem” flaw. It offered additional limited details including that the bug can be abused by an attacker should they trigger a “buffer overflow while updating ikev2 parameters.” Internet Key Exchange (IKEv2) is the protocol used to set up a security association in the IPsec protocol suite, according to a technical description.
The two others– CVE-2020-11163 and CVE-2020-11170—affected Qualcomm closed-source components found in the OS.
The Android Kernel, Google Play system, and Android runtime all received one patch each in the update for bugs rated respectively as “high.”
Last month Google also addressed 43 bugs in Android, including two critical bugs–one of which was found in Android System and allowed remote attackers to execute arbitrary code.
At this time there is no evidence that any of the vulnerabilities patched in the February update are being actively exploited in the wild, according to a post on the update by the Center for Internet Security (CIS).
CIS recommended that Android users apply the Android updates provided by Google or their mobile carriers to vulnerable systems “immediately after proper testing.” The center also reminded users to only download applications from trusted vendors in the Google Play Store and also to avoid visiting untrusted websites or following links provided by unknown or untrusted sources.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!