Headline
CVE-2023-20965
In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
)]}’ { "commit": "0d3cb609b0851ea9e5745cc6101e57c2e5e739f2", "tree": "7a0189a8f8573cdefb0afbe02c560cc04bbd86d9", "parents": [ “bd318b9772759546509f6fdb8648366099dd65ad” ], "author": { "name": "Hai Shalom", "email": "[email protected]", "time": “Thu Mar 02 23:00:56 2023 +0000” }, "committer": { "name": "Android Build Coastguard Worker", "email": "[email protected]", "time": “Thu Apr 06 00:38:45 2023 +0000” }, "message": "[TOFU] Implement a secure TOFU flow\n\nImplement a secure TOFU flow for supporting devices, and\nnotifications about insecure connections in non-supporting\ndevices, when insecure configurations are not allowed.\nHandle the case where insecure enterprise configurations are\nallowed in the new and secure TOFU flow. In this mode, do not\ndisconnect the network, do not load certificates, and do not\nnotify the user about anything.\nDisplay the correct certificate information in the dialog,\nremove the email and 8-octet signature from the TOFU dialog, and\nreplace with user verifiable information: certificate expiration\ndate (locale adjusted) and a SHA-256 fingerprint of the server\ncertificate which is locally generated.\nNetwork admins can calculate the fingerprint of their server\ncertificate and publish the result to their users, using:\nopenssl x509 -in server-cert.pem -noout -fingerprint -sha256\n\nUpdated-Overlayable: TRUE\nUpdated-PDD: TRUE\n\nBug: 267633332\nBug: 251910611\nBug: 250574778\nTest: atest ClientModeImplTest InsecureEapNetworkHandlerTest\nTest: atest WifiConfigManagerTest\nTest: Integration test on R, and T devices with overlay setting\nof insecure networks allowed and not allowed, and with new\nconfigs and insecure (Do not validate) configs made with R.\nTest: Functional test, UI verification with multiple locales\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a5227527411bc24e6e2c6276f16559c7305b6783)\nMerged-In: I5cac12cd8c52a8a9425e98dad0fb90893f53e374\nChange-Id: I5cac12cd8c52a8a9425e98dad0fb90893f53e374\n", "tree_diff": [ { "type": "modify", "old_id": "2d6d08db5b4540a350d0cc8099849a74e021f211", "old_mode": 33188, "old_path": "service/ServiceWifiResources/res/values/overlayable.xml", "new_id": "4ddba7f7322f680502cd308ba8942bf7839db727", "new_mode": 33188, "new_path": “service/ServiceWifiResources/res/values/overlayable.xml” }, { "type": "modify", "old_id": "15ffcf0adabd9d5306e6ac64b3b8135d0768c967", "old_mode": 33188, "old_path": "service/ServiceWifiResources/res/values/strings.xml", "new_id": "bfcb96a1f8801857cc8dfe2ba8e877a43adbfcb9", "new_mode": 33188, "new_path": “service/ServiceWifiResources/res/values/strings.xml” }, { "type": "modify", "old_id": "92cc9ffce6119ede40f7d08d074399b8b9bc1e41", "old_mode": 33188, "old_path": "service/java/com/android/server/wifi/ClientModeImpl.java", "new_id": "c4c0823db079402feb4ee5f2c833a75f339eae72", "new_mode": 33188, "new_path": “service/java/com/android/server/wifi/ClientModeImpl.java” }, { "type": "modify", "old_id": "225d01c7e55d10b3226fd112e6c4d6ae12f34ca7", "old_mode": 33188, "old_path": "service/java/com/android/server/wifi/InsecureEapNetworkHandler.java", "new_id": "6c55feab7fdfeeec9943cf005f624046e09c2948", "new_mode": 33188, "new_path": “service/java/com/android/server/wifi/InsecureEapNetworkHandler.java” }, { "type": "modify", "old_id": "2079cb82d085a8c3eb69dcabab26d3b73327d346", "old_mode": 33188, "old_path": "service/java/com/android/server/wifi/WifiConfigManager.java", "new_id": "f2a39dadaeb1c9010ab1e28e975c8297a1a14730", "new_mode": 33188, "new_path": “service/java/com/android/server/wifi/WifiConfigManager.java” }, { "type": "modify", "old_id": "a69614090ce52d28a21430b0372ab917e628e308", "old_mode": 33188, "old_path": "service/java/com/android/server/wifi/WifiKeyStore.java", "new_id": "deb2e9d94c36a6380358570288ece5f88581b294", "new_mode": 33188, "new_path": “service/java/com/android/server/wifi/WifiKeyStore.java” }, { "type": "modify", "old_id": "16b05c38892fdc15e3ff23257b591097c92c3280", "old_mode": 33188, "old_path": "service/java/com/android/server/wifi/WifiServiceImpl.java", "new_id": "30ea2482954ffb0f3cf4ed496fc1925ea3915942", "new_mode": 33188, "new_path": “service/java/com/android/server/wifi/WifiServiceImpl.java” }, { "type": "modify", "old_id": "09a596f984cf403feaf85b6ab986de9fbdd05d00", "old_mode": 33188, "old_path": "service/proto/src/metrics.proto", "new_id": "871eb2c750cd50f21e7740a3d3d18463836352f1", "new_mode": 33188, "new_path": “service/proto/src/metrics.proto” }, { "type": "modify", "old_id": "ca8f5b031ceac99ff603d27679d89a0f7a22b208", "old_mode": 33188, "old_path": "service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java", "new_id": "cef996fef1df59033c6e62b544aa05b42170f837", "new_mode": 33188, "new_path": “service/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java” }, { "type": "modify", "old_id": "aed3753ffc0f4f69c5bf998f376fe196f506493b", "old_mode": 33188, "old_path": "service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java", "new_id": "b83f6e7e6c1f89ede082ef11d045996b43f3e6ee", "new_mode": 33188, "new_path": “service/tests/wifitests/src/com/android/server/wifi/InsecureEapNetworkHandlerTest.java” }, { "type": "modify", "old_id": "141dca53afb1a8b9c4b5f700c1257d344857470b", "old_mode": 33188, "old_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java", "new_id": "b707b1d6b06fe564632f77f4e4d61c0fe3f394c9", "new_mode": 33188, "new_path": “service/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java” }, { "type": "modify", "old_id": "eefa46bb7c13db355460f3d458b90abe3444c771", "old_mode": 33188, "old_path": "service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java", "new_id": "9dc610b275ee4077d1b832a814059304cf7d243b", "new_mode": 33188, "new_path": “service/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java” }, { "type": "modify", "old_id": "9de443def48ebc9ccc708bf2b2644247aa38faca", "old_mode": 33188, "old_path": "service/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java", "new_id": "37fbb8f7b27a9902adc4a6994f0e0d2c653d44ed", "new_mode": 33188, "new_path": “service/tests/wifitests/src/com/android/server/wifi/WifiKeyStoreTest.java” } ] }
Related news
In doKeyguardLocked of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.