Google Patches 11 Critical RCE Android Vulnerabilities

Google’s December Android Security Bulletin tackles 53 unique flaws.

Remote code-execution (RCE) vulnerabilities dominated Google’s December Android Security Bulletin.

The flaws are part of a total of 53 unique bugs patched by the Android security team, with a total number of 11 critical bugs – six of which are RCE flaws tied to the operating system’s Media Framework and System components.

According to Google, there are no reports that any of the unique bugs have been exploited or abused in the wild. Patches apply to Google’s Pixel and Nexus devices along with flagship Android phones from Samsung, LG, HTC and others. Over-the-air updates will be sent to Google handsets, and update schedules for other device manufacturers and mobile carriers will vary, according to the bulletin.

The Android Media Framework, which acts as a go-between for media software and hardware, received the brunt of the patching. Four RCE vulnerabilities (CVE-2018-9549, CVE-2018-9550, CVE-2018-9551, CVE-2018-9552) impacted Android Open Source Project operating system versions ranging from 7.0 (Nougat) to 9 (Pie).

The most severe of the vulnerabilities released by the Android Security Team on Monday were the RCE bugs that “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”

Additional information regarding the critical CVEs were not immediately available.

In all, 42 of the CVEs ranked high in severity. Nine were tied to escalation-of-privilege (EoP) bugs. One of the few EoP bugs (CVE-2018-10840) that linked to an external description revealed the flaw was tied to the Android Kernel component (ext4 filesystem).

“The Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image,” according a Red Hat Bugzilla report.  The bug was initially reported by Sam Fowler in May and publicly disclosed and patched this month.

The bulk of the bugs listed as high-severity, 24 of them, were affiliated with Qualcomm. Only limited information was available regarding the Qualcomm bugs.

Device-maker LG also issued its own December LG Security Bulletin and listed  three high-severity bugs of its own, including a SMS bug and GPS vulnerability triggered “during emergency 911 call and GPS use case (MTK chipset only).”

Meanwhile, Samsung indicated that its December Samsung Mobile update included 40 vulnerabilities beyond Google’s Android update. It provided additional, but limited data, regarding two critical vulnerabilities tied to its use of ARM’s Exynos system-on-chips (series 9810) running on 8895 chipsets. One was a stack-overflow bug that could allow arbitrary code-execution. The second was a heap-overflow bug that “may cause memory issues.” Both were privately disclosed to Samsung on Oct. 15.

Suggested articles