There is an out-of-bounds read and write vulnerability in some headset products. An unauthenticated attacker gets the device physically and crafts malformed message with specific parameter and sends the message to the affected products. Due to insufficient validation of message, which may be exploited to cause out-of-bounds read and write.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy

Back to Main Menu

Huawei Websites

Corporate

Corporate news and information

Consumer

Phones, laptops, tablets, wearables & other devices

Enterprise

Enterprise products, solutions & services

Carrier

Products, solutions & services for carrier networks

Huawei Cloud

Cloud products, solutions & services

**Security Advisory - Out-of-bounds Read and Write Vulnerability in Some Huawei Headset Products**

*   SA No:huawei-sa-20220826-01-outofboundread
*   Initial Release Date: Sep 01, 2022
*   Last Release Date: Sep 01, 2022

  

There is an out-of-bounds read and write vulnerability in some headset products. An unauthenticated attacker gets the device physically and crafts malformed message with specific parameter and sends the message to the affected products. Due to insufficient validation of message, which may be exploited to cause out-of-bounds read and write. (Vulnerability ID: HWPSIRT-2020-87976)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-36602.

For products that have released software updates to fix this vulnerability, Huawei will release and update the Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20220826-01-outofboundread-en

Affected Product

Affected Version

Resolved Version

576up005 HOTA-CM-H-Shark-BD

1.0.0.576-fullpackage

CM-H-Shark-BD 1.0.0.612

577HOTA-CM-H-Shark-BD

1.0.0.577-fullpackage

CM-H-Shark-BD 1.0.0.612

581up-HOTA-CM-H-Shark-BD

1.0.0.581-fullpackage

CM-H-Shark-BD 1.0.0.612

586-HOTA-CM-H-Shark-BD

1.0.0.586-fullpackage

CM-H-Shark-BD 1.0.0.612

588-HOTA-CM-H-Shark-BD

1.0.0.588-fullpackage

CM-H-Shark-BD 1.0.0.612

606-HOTA-CM-H-Shark-BD

1.0.0.606-fullpackage

CM-H-Shark-BD 1.0.0.612

BI-ACC-REPORT

1.0.0.1

CM-H-Shark-BD 1.0.0.612

1.0.0.2

1.0.0.3

1.0.0.4

1.0.0.5

CM-H-Shark-BD

1.0.0.106

1.0.0.612

1.0.0.116

1.0.0.202

1.0.0.208

1.0.0.216

1.0.0.226

1.0.0.228

1.0.0.510

1.0.0.520

1.0.0.522

1.0.0.566

1.0.0.576

1.0.0.578

1.0.0.586

1.0.0.588

1.0.0.66(VN2-SP11)

1.0.0.66(VN2-SP15)

1.0.0.66(VN2-SP17)

1.0.0.66(VN2-SP21)

1.0.0.66(VN2-SP27)

1.0.0.66(VN2-SP29)

1.0.0.66(VN2-SP31)

1.0.0.66(VN2-SP33)

1.9.0.208

1.9.0.612

1.9.0.216

1.9.0.226

1.9.0.228

1.9.0.510

1.9.0.520

1.9.0.522

1.9.0.566

1.9.0.578

1.0.0.612

1.9.0.586

1.9.0.612

1.9.0.588

By exploiting this vulnerability, the attacker can cause out-of-bounds read and write.

This vulnerability can be exploited only when the following conditions are present:

The attacker gains the device and can access to device.

Vulnerability details:

An unauthenticated attacker gets the device physically and crafts malformed message with specific parameter and sends the message to the affected products. Due to insufficient validation of message, which may be exploited to cause out-of-bounds read and write.

  

This vulnerability was reported to Huawei PSIRT by Wen Guanxing. Huawei would like to thank Wen Guanxing for working with us and coordinated vulnerability disclosure to protect our customers.

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2020-36602: huawei-sa-20220826-01-outofboundread-en

A permission bypass vulnerability in Huawei cross device task management could allow an attacker to access certain resource in the attacked devices. Affected product versions include:JAD-AL50 versions 102.0.0.225(C00E220R3P4).

**Security Advisory - Permission Bypass Vulnerability in Huawei Products**

*   SA No:huawei-sa-20220819-01-7e0a6103
*   Initial Release Date: Aug 19, 2022
*   Last Release Date: Aug 19, 2022

  

A permission bypass vulnerability in Huawei cross device task management could allow an attacker to access certain resource in the attacked devices. (Vulnerability ID: HWPSIRT-2021-96118)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2021-46834.

For products that have released software updates to fix this vulnerability, Huawei will release and update the Security Advisory at:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20220819-01-7e0a6103-en

Affected Product

Affected Version

Resolved Version

JAD-AL50

102.0.0.225(C00E220R3P4)

102.0.0.245(C00E245R3P4)

  

Successful exploitation could allow an attacker to access certain resource in the attacked devices.

This vulnerability can be exploited only when the following conditions are present:

The attacked device needs to initiate cross device task management to the attacker device.

Vulnerability details:

A permission bypass vulnerability in the cross device task management function of Huawei products. This vulnerability exists because insufficient permission verification. After the attacked device initiates cross device task management to the attacker device, the attacker could exploit the vulnerability through this function. A successful exploit could allow the attacker to access certain resource in the attacked devices.

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

The vulnerability was discovered by external researchers.

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2021-46834: huawei-sa-20220819-01-7e0a6103-en

A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks.Affected product versions include:CV81-WDM FW versions 01.70.49.29.46.

A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks. (Vulnerability ID: HWPSIRT-2022-49379)  
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2022-37395.

Affected Product

Affected Version

Resolved Version

CV81-WDM FW

01.70.49.29.46

01.94.59.32.46

Successful exploitation could result in a denial of service attack  

This vulnerability can be exploited only when the following conditions are present:

Attackers can access affected devices through the network

Vulnerability details:

A DoS vulnerability exists in the SNMP parsing module of a Huawei terminal. The vulnerability is due to insufficient validation of external input packets. Attackers can construct malicious SNMP packets to exploit the vulnerability. Successful exploitation could result in denial of service, etc.  

This vulnerability was discovered by Huawei internal tester.  

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-37395: Security Advisory - The input verification vulnerability of a Huawei Device product is involved.

Out-of-bounds write vulnerability in the power consumption module. Successful exploitation of this vulnerability may cause the system to restart.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the August 2022 Android security bulletin:

Critical: none

High: CVE-2021-39696, CVE-2022-20344, CVE-2022-20346, CVE-2022-20347, CVE-2022-20348, CVE-2022-20349, CVE-2022-20350, CVE-2022-20355, CVE-2022-20358, CVE-2022-22080

Medium: CVE-2021-3609, CVE-2022-1055, CVE-2022-20158, CVE-2022-20368, CVE-2022-20371, CVE-2022-27666, CVE-2022-29581

Low: none

Already included in previous updates: CVE-2022-20219, CVE-2022-21744, CVE-2022-20083, CVE-2022-20126, CVE-2022-20133, CVE-2021-35102, CVE-2021-35120, CVE-2021-30318, CVE-2021-1942, CVE-2021-35104

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40019: Out-of-bounds heap read vulnerability in the HW\_KEYMASTER module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-40023: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40024: Information leakage vulnerability in the interface implementation of the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-46836: Information leakage vulnerability in the interface implementation of the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-37008: Vulnerability of the update package not being verified before used in the recovery module

Severity: Medium

Affected versions: EMUI 10.1.1, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect system stability.

CVE-2022-38977: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38978: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38979: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38980: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38981: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38982: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38983: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38984: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38985: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38986: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38987: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38988: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38989: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38990: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38991: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38992: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38993: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38994: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38995: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38996: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38997: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38999: Improper update of reference count vulnerability in the AOD module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect integrity, confidentiality, and availability.

CVE-2022-39000: Malicious app control vulnerability in the iAware module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause malicious apps to automatically start upon system startup.

CVE-2022-39001: Path traversal vulnerability in the number identification module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause data leakage.

CVE-2022-39002: Double free vulnerability in the storage module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause the memory to be freed twice.

CVE-2022-39003: Buffer overflow vulnerability in the video framework

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect the confidentiality and integrity of trusted components.

CVE-2022-39004: Memory leak vulnerability in the MPTCP module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability can cause memory leak.

CVE-2022-39005: Memory leak vulnerability in the MPTCP module

Severity: Medium

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability can cause memory leak.

CVE-2022-39006: Race condition vulnerability in the MPTCP module

Severity: Critical

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2022-39007: Permission verification bypass vulnerability in the Location module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may lead to privilege escalation.

CVE-2022-39008: Bundle serialization/deserialization mismatch vulnerability in the NFC module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to read and write arbitrary system app files.

CVE-2022-39009: Permission verification vulnerability in the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to affect WLAN functions.

CVE-2022-39010: Permission control vulnerability in the HwChrService module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to obtain the user network information.

CVE-2020-36600: Out-of-bounds write vulnerability in the power consumption module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the system to restart.

Acknowledgment: Wen Guanxing

CVE-2020-36601: Out-of-bounds write vulnerability in the kernel modules

Severity: Medium

Affected versions: EMUI 10.1.0, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause a panic reboot.

Acknowledgment: Wen Guanxing

CVE-2020-36600: September

In the SEPolicy configuration of system apps, there is a possible access to the 'ip' utility due to an insecure default value. This could lead to local information disclosure of network data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219808546References: Upstream kernel

_Published September 6, 2022 Updated September 9, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-09-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-09-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-22822

A-219942275

EoP

High

10, 11, 12, 12L

CVE-2022-23852

A-221255869

EoP

High

10, 11, 12, 12L

CVE-2022-23990

A-221256678

EoP

High

10, 11, 12, 12L

CVE-2022-25314

A-221384482

EoP

High

10, 11, 12, 12L

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20218

A-223907044

EoP

High

12, 12L

CVE-2022-20392

A-213323615 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2022-20393

A-233735886

ID

High

11, 12, 12L

CVE-2022-20197

A-208279300

EoP

Moderate

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20395

A-221855295

EoP

High

11, 12, 12L, 13

CVE-2022-20398

A-221859734

EoP

High

13

CVE-2022-20396

A-234440688

ID

High

12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller, Permission Controller

CVE-2022-20218

MediaProvider

CVE-2022-20395

WiFi

CVE-2022-20398

**2022-09-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local information disclosure of network data with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-20399

A-219808546  
Upstream kernel

ID

High

SELinux

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege in system libraries with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2021-4083

A-216408350  
Upstream kernel

EoP

High

Kernel

CVE-2022-29582

A-231494876  
Upstream kernel

EoP

High

fs

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0697

A-238918403\*

High

PowerVR-GPU

CVE-2021-0942

A-238904312\*

High

PowerVR-GPU

CVE-2021-0943

A-238916921\*

High

PowerVR-GPU

CVE-2021-0871

A-238921253\*

High

PowerVR-GPU

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-26447

A-237956326  
M-ALPS06784478\*

High

BT firmware

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20385

A-238379819  
U-1903041\*

High

kernel

CVE-2022-20386

A-238227328  
U-1903099\*

High

Android

CVE-2022-20387

A-238227324  
U-1872920\*

High

Android

CVE-2022-20388

A-238227323  
U-1872920\*

High

Android

CVE-2022-20389

A-238257004  
U-1872920\*

High

Android

CVE-2022-20390

A-238257002  
U-1872920\*

High

Android

CVE-2022-20391

A-238257000  
U-1872920\*

High

Andorid

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-22095

A-223210037  
QC-CR#3168780  
QC-CR#3088894

High

Kernel

CVE-2022-25656

A-228101796  
QC-CR#3119439 \[2\]  
QC-CR#2998082 \[2\]

High

Kernel

CVE-2022-25670

A-235102548  
QC-CR#3104235

High

WLAN

CVE-2022-25693

A-235102897  
QC-CR#3141474

High

Display

CVE-2022-25704

A-235102694  
QC-CR#3155069 \[2\]

High

Bluetooth

CVE-2022-25706

A-235102901  
QC-CR#3155132

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25708

A-235102756\*

Critical

Closed-source component

CVE-2022-22066

A-223209292\*

High

Closed-source component

CVE-2022-22074

A-235102567\*

High

Closed-source component

CVE-2022-22081

A-235102758\*

High

Closed-source component

CVE-2022-22089

A-235102568\*

High

Closed-source component

CVE-2022-22091

A-223209291\*

High

Closed-source component

CVE-2022-22092

A-223211216\*

High

Closed-source component

CVE-2022-22093

A-223209815\*

High

Closed-source component

CVE-2022-22094

A-223210036\*

High

Closed-source component

CVE-2022-25669

A-235102508\*

High

Closed-source component

CVE-2022-25686

A-235102899\*

High

Closed-source component

CVE-2022-25688

A-235102421\*

High

Closed-source component

CVE-2022-25690

A-235102422\*

High

Closed-source component

CVE-2022-25696

A-235102900\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-09-01 or later address all issues associated with the 2022-09-01 security patch level.
*   Security patch levels of 2022-09-05 or later address all issues associated with the 2022-09-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-09-01\]
*   \[ro.build.version.security\_patch\]:\[2022-09-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-09-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-09-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-09-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

September 6, 2022

Bulletin Published

1.1

September 9, 2022

Bulletin revised to include AOSP links  
Revised CVE Table

CVE-2022-20399: Android Security Bulletin—September 2022  |  Android Open Source Project

US lawmakers keep warning about the popular app. But until they can explain what makes it uniquely dangerous, it’s difficult to tailor a resolution.

Amid a flurry of talking points and takedowns as the United States midterm elections loom, lawmakers and regulators have reheated claims about TikTok, a social media app they say poses a threat to personal privacy and US national security. Now, the Biden administration is reportedly readying its own action. But the exact scope of the problem and goals remain fuzzy. Owned by the Chinese tech giant Bytedance, TikTok has more than a billion users, including an estimated 135 million in the US, and some lawmakers, including former president Donald Trump, have warned over the past two years that the Chinese government could use the app to collect data on Americans or launch influence operations through the platform.

The US military banned its members from using TikTok on government devices or at all in late 2019 and early 2020, as did the Transportation Security Administration and some other federal agencies. Just last month, the chief administrative officer for the US House of Representatives warned lawmakers against installing TikTok due to the data it can collect. This followed a June 17 BuzzFeed News report, which found that ByteDance employees can and do gain access to US TikTok users' data in some situations. But for the general public, warnings from legislators and regulators this summer have continued to be vague and amorphous, underscoring broader ambiguity about where lawmakers' precise concerns lie. 

With so many users, TikTok is clearly a potentially rich source of personal data and could be exploited in the way other social platforms have been to spread disinformation or promote influence operations. But the reason TikTok has been singled out is less clear. Huge quantities of sensitive data about people living in the US are already available in various forms for purchase or the taking through other public social media platforms, the digital marketing industry, data brokers, and leaked stolen data troves. And long before the rise of TikTok, China was already notorious on the global stage for stealing massive quantities of data about Americans and others from governments and companies around the world. So, is it protectionism? Xenophobia? Special insight into US national security?

A report published by Semafor on Friday indicates that the Biden administration is preparing a series of executive orders to address TikTok and the Chinese tech sector's access to Americans' data more broadly. The report says the White House's actions could significantly curtail US investment in China, while other potential measures may limit what technology can be sold to Chinese clients and specifically limit the data Chinese tech companies can collect about US citizens.

Such steps would be less dramatic than the approach to TikTok taken by Biden's predecessor but would have a larger scope and wider set of potential ramifications. In the waning months of the Trump administration, the White House attempted to block TikTok from US app stores if ByteDance didn't sell the company to a US-based firm. Though the move failed, TikTok took steps to silo itself from its Chinese owners and announced in June that all US user traffic would be routed in the US. The company is still working on deleting all user data from its own servers in favor of processing everything in Oracle's cloud. The company stores data backups in the US and Singapore.

“The thing about TikTok is that a lot of people use it!” says Rui Zhong, a researcher at the Kissinger Institute on China and the United States. “The Trump administration also tried to ban WeChat, which is not just a communication platform but a technology platform that vacuums up reams of your data—more so than TikTok. But WeChat is almost exclusively used in the US by the Chinese diaspora, whereas TikTok is just broadly popular with Americans.”

She adds that while, from a US national security perspective, the existential threats are worth acknowledging, there wasn't enough information available about concrete concerns when the TikTok ban was on the table a couple of years ago or in remarks this summer. US officials still don't seem, at least publicly, to have a smoking gun illustrating the urgency of the threat. “It needed a better case built around it, and at the time in 2019 they just didn’t seem to have that case,” Zhong says. “Whether they will have something they can show Americans in the future or not, I can’t say.”

On June 24, days after the BuzzFeed report, a group of Republican senators led by Tom Cotton of Arkansas sent a letter to Treasury Secretary Janet Yellen “to inquire about the Biden administration’s delayed response to the national security and privacy risks posed by TikTok.” On June 28, a different group of nine Republican senators sent a letter to TikTok's CEO, Shou Zi Chew, laying out questions about the company's data management practices and relationship with ByteDance given that the company has always maintained that they will not share US user data with the Chinese government. On July 5, a bipartisan duo from the Senate Select Committee on Intelligence—democrat Mark Warner of Virginia and Republican Marco Rubio of Florida—sent a letter to the Federal Trade Commission urging the agency to investigate TikTok and ByteDance for “repeated misrepresentations by TikTok concerning its data security, data processing, and corporate governance practices.”

In a series of responses this summer both to lawmakers and the public, TikTok has staunchly maintained that it does not and would never share US user data with the Chinese government, and that it is a separate US-based entity subject to US laws. The company does not report publicly on government data requests, but it does publish a twice-annual report about government requests to remove content from the service. The latter report indicates that the company has never fulfilled a removal request from China.

The bottom line, though, is that TikTok is owned by ByteDance. And some ByteDance employees can access TikTok user data. Does that mean the ruling Chinese Communist Party (CCP) can get that data too? In his June 30 response to the nine Republican senators, TikTok's Chew said, “Employees outside the US, including China-based employees, can have access to TikTok US user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our US-based security team.” He described at length the layers of classification and restriction that protect user data from being accessed casually or without oversight. Chew and TikTok have long maintained that it they “have not provided US user data to the CCP, nor would we if asked.” When WIRED asked TikTok how this squares with the reality that ByteDance has access and could be compelled to exercise it under Chinese law, spokesperson Maureen Shanahan said, “TikTok is provided in the United States by TikTok Inc., which is incorporated in California and subject to US laws and regulations.”

Still, it is unclear whether TikTok poses a unique and specific threat to US national security or if it is simply a convenient proxy through which lawmakers are grappling with larger issues of data security and privacy, disinformation, content moderation, and influence in a globalized tech market. Similarly, the Chinese telecom giant Huawei faced controversy over whether the US should incorporate Chinese-made hardware into domestic 5G infrastructure, which was ultimately banned.

“There are definitely signs that Chinese influence efforts are likely to grow, linked to the Chinese government’s strategy more broadly of digital authoritarianism,” says Kian Vesteinsson, a research analyst for the nonprofit digital rights think tank Freedom House. “But it’s important for us to acknowledge that the US government has its own shadowy national security surveillance authorities. And in recent years, US government agencies have monitored social media accounts of people coordinating protests in the US and done things like searched electronic devices throughout the country and at the border. These sorts of tactics undermine the idea that this is only a foreign threat.”

Then there's the power imbalance TikTok may create. One thing about TikTok, in particular, is that its popularity and proliferation within the US could make it a one-stop shop for the Chinese government to mine the data of US users and launch influence operations in the US. Meanwhile, the US government may feel that it lacks a comparable mechanism through which it can so directly pull Chinese user data and work to sway public opinion in China.

“Let's assume for a second that US intelligence has access to WeChat. They would have to fight hard for that access, and it would constantly be at risk of discovery and neutralization. China, on the other hand, doesn't have to fight for access to TikTok; they have it by statutory authority,” says Jake Williams, director of cyber-threat intelligence at the security firm Scythe and a former National Security Agency hacker. “By itself, I don't think that the TikTok app on people's devices is a significant threat, but the potential for Chinese data collection across the platform is a larger concern, especially when combined with other data already acquired by Chinese state actors.”

Given its immense popularity, its ownership, and the fact that the bulk of TikTok activity is public by nature, there is no clear technical solution to boxing China out of the service. The question is whether the US government wants to devise a business solution or incentivize development of an appealing alternative platform. Still, privacy violations, security concerns, and foreign influence operations against US residents through social media are problems the US government has yet to solve. And neither technology bans nor countersurveillance will make them go away.

“One thing that we really should escalate here is that the US should be leading by example,” Freedom House's Vesteinsson says. “When we talk about expanding the US government’s surveillance powers, that sets a really bad example for governments around the world.”

It’s Time to Get Real About TikTok’s Risks

OpenSSF welcomes Capital One as a premier member affirming its commitment to strengthening the open source software supply chain.

**SAN FRANCISCO, Aug. 24, 2022** — Capital One joins the Open Source Security Foundation (OpenSSF) as a premier member, affirming its commitment to strengthening the open source software supply chain. OpenSSF is a cross-industry organization hosted at the Linux Foundation, designed to inspire and enable the community to secure the open source software we all depend on, including development, testing, fundraising, infrastructure, and support initiatives.

Capital One joins the OpenSSF Governing Board in charge of leading the organization and providing strategic direction. “We are happy to welcome Capital One to the Open Source Security Foundation,” says Brian Behlendorf, General Manager of OpenSSF. “As a highly regulated company that has invested in technology, Capital One has experience building the governance structure, modern architecture and collaborative culture that is critical for well-managed open source software delivery. By joining the OpenSSF, Capital One is demonstrating a serious commitment to secure open source software that benefits our entire ecosystem.”

As one of the nation’s leading digital banks, technology is central to Capital One’s business strategy and how value is delivered to more than 100 million customers. The company began a technology transformation over a decade ago, which included an open source-first declaration in 2015. A modern architecture in the cloud is allowing Capital One to take advantage of the world’s innovations and accelerate delivery by committing to a collaborative software-building approach among the open source community.

“Today some of the most ground-breaking digital experiences created for customers are based on open source software. As a company that widely adopts this technology, Capital One is incredibly proud to join the OpenSSF and the world’s technology leaders as we collaborate to strengthen the software security supply chain,” said Chris Nims, EVP of Cloud & Productivity Engineering at Capital One. “As a highly-regulated company, we are seasoned in managing compliance and governance and advocate for standardization, automation and collaboration. We look forward to working together to identify solutions that advance the OpenOSSF mission and give back to the open source community.”

Earlier this year, the OpenSSF unveiled a 10-point plan at the Open Source Security Summit hosted in conjunction with the White House in May. The plan feeds into 10 different workstreams, like finding ways to reduce patching response times for open source software, developing new metrics to track code and components, moving the industry away from non-memory safe programming languages that make it difficult to find and fix vulnerabilities, establishing a framework for incident response teams that can be deployed across the open source community and conducting annual third-party reviews of the top 200 most critical open source security components.

More recently, the OpenSSF hosted a Town Hall especially for open source software maintainers, contributors, software developers, and open source software users who know security is important, but haven’t made the leap to join an OpenSSF Working Group or Project yet. On Tuesday, Sept. 13, they will be hosting an OpenSSF Day EU at the Open Source Summit Europe in Dublin, Ireland, and online.

Capital One joins other OpenSSF premier members 1Password, AWS, Atlassian, Cisco, Citi, Coinbase, Dell Technologies, Ericsson, Fidelity, GitHub, Google, Huawei, Intel, IBM, JFrog, JPMorgan Chase, Meta, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, Sonatype, VMware, and Wipro.

**About OpenSSF**

The Open Source Security Foundation (OpenSSF) is a cross-industry organization hosted by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at: openssf.org.

**About the Linux Foundation**

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Capital One Joins Open Source Security Foundation

** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header.

Universal Plug and Play (UPnP), a ubiquitous protocol used by “billions of devices,” may be vulnerable to data exfiltration and reflected amplified TCP distributed denial of service (DDoS) attacks.

**Background**

On June 8, researcher Yunus Çadirci published an advisory for CallStranger, a vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is currently managed by the Open Connectivity Foundation (OCF). As its name implies, UPnP is a protocol designed to allow a variety of networked devices to universally communicate with each other without any special setup or configuration.

Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices such as smart televisions. As a result, Çadirci says this particular vulnerability potentially affects “billions of devices.”

**Analysis**

CVE-2020-12695 is a server-side request forgery (SSRF)-like vulnerability in devices that utilize UPnP. The vulnerability exists due to the ability to control the Callback header value in the UPnP SUBSCRIBE function.

Source: CallStranger Technical Report

The SUBSCRIBE function is part of the UPnP standard that allows devices to monitor changes in other devices and services. For example, the PoC published on GitHub shows port 2869 for Microsoft’s Xbox One — which is used to monitor device changes on the network for features like media sharing — as vulnerable.

In order to exploit the flaw, an attacker would need to send a specially crafted HTTP SUBSCRIBE request to a vulnerable device.

An attacker could utilize this vulnerability in the following scenarios:

*   Intranet device port scanning to gather additional data from trusted assets within an organization’s LAN, bypassing organizational Data Loss Prevention (DLP) standards.
*   Send large amounts of traffic to arbitrary destinations. Targets flooded by the affected devices could crash under the increased network load, resulting in a denial of service (DoS). This is a result of UPnP attempting to establish a TCP handshake with multiple SYN packets for all Callback values in the SUBSCRIBE request.
*   Exfiltrate sensitive device data by directing callback information to arbitrary targets.

With the exception of the DoS, these scenarios provide a stealthy method for an attacker to steal data from a compromised network. This sensitive information could potentially open up an organization to further attack.

**Proof of concept**

The original proof of concept (PoC) created by Çadirci has been added to his GitHub repository.

**Solution**

Since CallStranger is a protocol-level vulnerability, OCF has made changes to the UPnP protocol specification. Therefore, manufacturers of affected devices are in the process of determining its impact. As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support. Tenable product coverage for this vulnerability can be found in the “identifying affected systems” section below.

At the time this blog post was published, the CallStranger website listed the following operating systems, networking equipment, printers, IoT devices and applications as reportedly vulnerable.

****Operating Systems****

**Vendor/Model**

**Version**

Windows 10

10.0.18362.719

Xbox One OS

10.0.19041.2494

****Networking Equipment****

**Vendor/Model**

**Version**

ASUS

RT-N11

Broadcom ADSL

\-

Cisco Wireless Access Point

WAP150 WAP131 WAP351

D-Link

DVG-N5412SP

Huawei

HG255s (HG255sC163B03) HG532e MyBox

NEC AccessTechnica

WR8165N

Netgear

WNHDE111

Ruckus ZoneDirector

\-

TP-Link

Archer C50

ZTE

ZXV10 W300 H108N

Zyxel

AMG1202-T10B

****Printers****

**Vendor/Model**

**Version**

Canon Selphy

CP1200

Dell

B1165NFW

EPSON EP, EW, XP Series Printers

\-

Hewlett Packard Deskjet, Photsmart and Officejet ENVY

\-

Samsung

X4300

****Internet of Things****

**Vendor/Model**

**Version**

Canal Digital ADB

TNR-5720 SX

Belkin Wemo

\-

Nokia HomeMusic Media Device

\-

Panasonic

BB-HCM735 VL-MWN350

Philips

2k14MTK TV (TPL161E\_012.003.039.001)

Samsung

UE55MU7000 (T-KTMDEUC-1280.5, BT - S) MU8000

Siemens

CNE1000

Trendnet

TV-IP551W

****Applications****

**Vendor/Model**

**Version**

ASUS Media Streamer

\-

LG Smartshare Media

\-

Sony Media Go Media

\-

Stream What You Hear

\-

Ubiquiti UniFi Controller

\-

**Identifying affected systems**

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, the table below lists several Tenable plugins to help identify devices within your network that may have UPnP enabled.

**Plugin ID**

**Description**

**Product**

10829

UPnP Client Detection

Nessus

35711

Universal Plug and Play (UPnP) Protocol Detection

Nessus

8061

UPNP Traffic Detection (Client)

Nessus Network Monitor (NMM)

1948

UPNP Traffic Detection

Nessus Network Monitor (NMM)

**Get more information**

*   CallStranger Disclosure Site
*   CERT/CC CallStranger Advisory (VU#339275)
*   Proof of Concept Code released on GitHub

**_Join Tenable's Security Response Team on the Tenable Community._**

**_Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface._**

Get a free 30-day trial of Tenable.io Vulnerability Management.

CVE-2020-23622: CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices At Risk

In Task.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-185810717

_Published August 1, 2022 | Updated August 3, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-08-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-08-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-08-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2021-39696

A-185810717

EoP

High

10, 11, 12

CVE-2022-20344

A-232541124

EoP

High

10, 11, 12, 12L

CVE-2022-20348

A-228315529

EoP

High

10, 11, 12, 12L

CVE-2022-20349

A-228315522

EoP

High

10, 11, 12, 12L

CVE-2022-20356

A-215003903

EoP

High

11, 12, 12L

CVE-2022-20350

A-228178437 \[2\]

ID

High

10, 11, 12, 12L

CVE-2022-20352

A-222473855

ID

High

12, 12L

CVE-2022-20357

A-214999987

ID

High

12, 12L

CVE-2022-20358

A-203229608

ID

High

10, 11, 12, 12L

**Media Framework**

The most severe vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20346

A-230493653

ID

High

10, 11, 12, 12L

CVE-2022-20353

A-221041256 \[2\] \[3\]

ID

High

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to remote code execution over Bluetooth with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20345

A-230494481

RCE

Critical

12, 12L

CVE-2022-20347

A-228450811

EoP

High

10, 11, 12, 12L

CVE-2022-20354

A-219546241

EoP

High

11, 12, 12L

CVE-2022-20360

A-228314987

EoP

High

10, 11, 12, 12L

CVE-2022-20361

A-231161832

EoP

High

10, 11, 12, 12L

CVE-2022-20355

A-219498290 \[2\]

DoS

High

10, 11, 12, 12L

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Media Framework components

CVE-2022-20346

**2022-08-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-08-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

The vulnerability in this section could lead to local escalation of privileges with User execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-1786

A-233078742  
Upstream kernel

EoP

High

Filesystem (fs)

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0698  

A-236848165\*

High

PowerVR-GPU

CVE-2021-0887  

A-236848817\*

High

PowerVR-GPU

CVE-2021-0891

A-236849490\*

High

PowerVR-GPU

CVE-2021-0946  

A-236846966\*

High

PowerVR-GPU

CVE-2021-0947  

A-236838960\*

High

PowerVR-GPU

CVE-2021-39815

A-232440670\*

High

PowerVR-GPU

CVE-2022-20122

A-232441339\*

High

PowerVR-GPU

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-20082

A-231271467  
M-ALPS07044730\*

High

GPU

**Unisoc components**

This vulnerability affects Unisoc components and further details are available directly from Unisoc. The severity assessment of this issue is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20239

A-233972091  
U-1883877\*

High

VSP

**Qualcomm components**

This vulnerability affects Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of this issue is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-22080  

A-231156274  
QC-CR#2898981

High

Audio

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2021-30259

A-187074564\*

High

Closed-source component

CVE-2022-22059

A-231156126\*

High

Closed-source component

CVE-2022-22061

A-218338332\*

High

Closed-source component

CVE-2022-22062  

A-218338070\*

High

Closed-source component

CVE-2022-22067

A-218338889\*

High

Closed-source component

CVE-2022-22069

A-218339148\*

High

Closed-source component

CVE-2022-22070

A-218338870\*

High

Closed-source component

CVE-2022-25668

A-231156523\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-08-01 or later address all issues associated with the 2022-08-01 security patch level.
*   Security patch levels of 2022-08-05 or later address all issues associated with the 2022-08-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-08-01\]
*   \[ro.build.version.security\_patch\]:\[2022-08-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-08-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-08-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-08-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference mvalue belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

August 1, 2022

Bulletin Published

1.1

August 3, 2022

Bulletin revised to include AOSP links

CVE-2021-39696: Android Security Bulletin—August 2022  |  Android Open Source Project

Vulnerability of writing data to an arbitrary address in the HW_KEYMASTER module. Successful exploitation of this vulnerability may affect confidentiality.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the July 2022 Android security bulletin:

Critical: CVE-2022-20222, CVE-2022-20229

High: CVE-2022-20221, CVE-2022-20223, CVE-2022-20224, CVE-2022-20225, CVE-2022-20226, CVE-2022-20228, CVE-2022-20230, CVE-2022-20220, CVE-2022-20227, CVE-2022-22058

Medium: none

Low: none

Already included in previous updates: CVE-2022-20124, CVE-2022-20129, CVE-2022-20138, CVE-2022-20144, CVE-2022-20194, CVE-2022-20198, CVE-2022-20209, CVE-2018-25020, CVE-2021-44733, CVE-2021-33034, CVE-2022-20154, CVE-2021-35073, CVE-2021-35076, CVE-2021-35086, CVE-2021-35096, CVE-2021-30340, CVE-2021-30343, CVE-2021-30347, CVE-2022-20123, CVE-2022-20127, CVE-2022-20131, CVE-2022-20147, CVE-2022-21745

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40040: Vulnerability of writing data to an arbitrary address in the HW\_KEYMASTER module

Severity: Critical

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-40034: Memory overwriting vulnerability caused by addition overflow in the video framework

Severity: Critical

Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability can affect availability.

CVE-2021-40030: Vulnerability of defects being introduced in the design process in the My HUAWEI app

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40012: Vulnerability of pointers being incorrectly used during data transmission in the video framework

Severity: Medium

Affected versions: EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-37004: OOBE bypass vulnerability in Settings

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-37005: Argument injection vulnerability in Settings

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2021-46741: Vulnerability of defects being introduced in the design process in the basic framework and settings module

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability will affect integrity.

CVE-2022-37007: Out-of-bounds read vulnerability in the ChinaDRM module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-37008: Vulnerability of the update package not being verified before used in the recovery module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect system stability.

CVE-2022-37002: Unauthorized access vulnerability in the SystemUI module

Severity: High

Affected versions: EMUI 12.0.0, EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability can cause malicious applications to run or display pop-ups in the background.

CVE-2022-34742: Read/Write vulnerability in system components

Severity: High

Affected versions: EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-37003: Incorrect permission assignment vulnerability in the AOD lock screen module

Severity: Medium

Affected versions: EMUI 12.0.0, EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause files in the directory to be read and written, resulting in privilege escalation.

CVE-2022-37006: Permission control vulnerability in the network module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

Tag

#huawei