Headline
Update now! Google patches vulnerabilities for Pixel mobile phones
Categories: Exploits and vulnerabilities Categories: News Tags: Google
Tags: Pixel
Tags: critical
Tags: CVE-2022-20364
Tags: CVE-2022-20231
Tags: Trusty
Tags: Kernel
Google’s Pixel Update Bulletin for September included two security patches that are Pixel specific.
(Read more…)
The post Update now! Google patches vulnerabilities for Pixel mobile phones appeared first on Malwarebytes Labs.
Google’s Pixel Update Bulletin for September included two security patches that are Pixel specific.
Both underlying vulnerabilities are rated critical and could lead to privilege escalation and device takeover.
The vulnerabilities
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that are Pixel specific:
CVE-2022-20231: a critical Elevation of Privileges vulnerability in Trusty. This buffer overflow vulnerability allows a local application to escalate privileges on the system.
Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. The Trusty OS runs on the same processor as the Android OS, but Trusty is isolated from the rest of the system by both hardware and software. Trusty and Android run parallel to each other. Trusty has access to the full power of a device’s main processor and memory but is completely isolated. Trusty’s isolation is designed to protect it from malicious apps installed by the user and potential vulnerabilities that may be discovered in Android.
CVE-2022-20364: a critical Elevation of Privileges vulnerability in Kernel. The Android kernel is based on an upstream Linux Long Term Supported (LTS) kernel. At Google, LTS kernels are combined with Android-specific patches to form what are known as Android Common Kernels (ACKs). This buffer overflow vulnerability exists due to a boundary error within the kernel component. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Buffer overflow
A buffer overflow occurs when a program or process attempts to write more data to a fixed-length block of memory, or buffer, than the buffer is allocated to hold. Buffers contain a defined amount of data. Any extra data could overwrite assigned data values in memory addresses adjacent to the destination buffer.
Elevation of privileges
Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
Mitigation
All supported Google devices will receive an update to the 2022-09-05 patch level. The update also includes patches for the 46 bugs that Google addressed in Android this month. We encourage all Pixel users to accept these updates to their devices.
To learn how to check a device’s security patch level, read the instructions on the Google device update schedule.
Stay safe, everyone!
Related news
In SitRilClient_OnResponse of SitRilSe.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223086933References: N/A
In smc_intc_request_fiq of arm_gic.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-211485702References: N/A
Unpatched Pixel devices are at risk for escalation of privileges, Google warns.