Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users.

Arid Viper disguising mobile spyware as updates for non-malicious Android applications

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

ext4: fix slab-use-after-free in ext4\_es\_insert\_extent()

Yikebaer reported an issue:
==================================================================
BUG: KASAN: slab-use-after-free in ext4\_es\_insert\_extent+0xc68/0xcb0
fs/ext4/extents\_status.c:894
Read of size 4 at addr ffff888112ecc1a4 by task syz-executor/8438

CPU: 1 PID: 8438 Comm: syz-executor Not tainted 6.5.0-rc5 #1
Call Trace:
 \[...\]
 kasan\_report+0xba/0xf0 mm/kasan/report.c:588
 ext4\_es\_insert\_extent+0xc68/0xcb0 fs/ext4/extents\_status.c:894
 ext4\_map\_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
 ext4\_alloc\_file\_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
 ext4\_zero\_range fs/ext4/extents.c:4622 \[inline\]
 ext4\_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
 \[...\]

Allocated by task 8438:
 \[...\]
 kmem\_cache\_zalloc include/linux/slab.h:693 \[inline\]
 \_\_es\_alloc\_extent fs/ext4/extents\_status.c:469 \[inline\]
 ext4\_es\_insert\_extent+0x672/0xcb0 fs/ext4/extents\_status.c:873
 ext4\_map\_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
 ext4\_alloc\_file\_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
 ext4\_zero\_range fs/ext4/extents.c:4622 \[inline\]
 ext4\_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
 \[...\]

Freed by task 8438:
 \[...\]
 kmem\_cache\_free+0xec/0x490 mm/slub.c:3823
 ext4\_es\_try\_to\_merge\_right fs/ext4/extents\_status.c:593 \[inline\]
 \_\_es\_insert\_extent+0x9f4/0x1440 fs/ext4/extents\_status.c:802
 ext4\_es\_insert\_extent+0x2ca/0xcb0 fs/ext4/extents\_status.c:882
 ext4\_map\_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
 ext4\_alloc\_file\_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
 ext4\_zero\_range fs/ext4/extents.c:4622 \[inline\]
 ext4\_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
 \[...\]
==================================================================

The flow of issue triggering is as follows:
1. remove es
      raw es               es  removed  es1
|-------------------| -> |----|.......|------|

2. insert es
  es   insert   es1      merge with es  es1     merge with es and free es1
|----|.......|------| -> |------------|------| -> |-------------------|

es merges with newes, then merges with es1, frees es1, then determines
if es1->es\_len is 0 and triggers a UAF.

The code flow is as follows:
ext4\_es\_insert\_extent
  es1 = \_\_es\_alloc\_extent(true);
  es2 = \_\_es\_alloc\_extent(true);
  \_\_es\_remove\_extent(inode, lblk, end, NULL, es1)
    \_\_es\_insert\_extent(inode, &newes, es1) ---> insert es1 to es tree
  \_\_es\_insert\_extent(inode, &newes, es2)
    ext4\_es\_try\_to\_merge\_right
      ext4\_es\_free\_extent(inode, es1) --->  es1 is freed
  if (es1 && !es1->es\_len)
    // Trigger UAF by determining if es1 is used.

We determine whether es1 or es2 is used immediately after calling
\_\_es\_remove\_extent() or \_\_es\_insert\_extent() to avoid triggering a
UAF if es1 or es2 is freed.

Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>
Closes: https://lore.kernel.org/lkml/CALcu4raD4h9coiyEBL4Bm0zjDwxC2CyPiTwsP3zFuhot6y9Beg@mail.gmail.com
Fixes: 2a69c45 ("ext4: using nofail preallocation in ext4\_es\_insert\_extent()")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230815070808.3377171-1-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

*   Loading branch information

CVE-2023-45898: ext4: fix slab-use-after-free in ext4_es_insert_extent() · torvalds/linux@768d612

Clone vulnerability in the huks ta module.Successful exploitation of this vulnerability may affect service confidentiality.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the September 2023 Android security bulletin:

Critical: CVE-2023-35658, CVE-2023-35673

High: CVE-2023-35679, CVE-2023-35687, CVE-2023-35669, CVE-2023-35667, CVE-2023-35677, CVE-2023-35666, CVE-2023-35684, CVE-2023-28584

Medium: none

Low: none

Already included in previous updates: CVE-2023-21284, CVE-2020-29374, CVE-2023-21251, CVE-2023-20942, CVE-2023-21189

※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the CVE of other third-party library patches:

Critical: CVE-2023-4863

This security update includes the following HUAWEI patches:

CVE-2023-41295: Vulnerability of improper permission management in the displayengine module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause the screen to turn dim.

CVE-2023-41304: Parameter verification vulnerability in the window module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause the size of an app window to be adjusted to that of a floating window.

CVE-2023-44093: Vulnerability of package names' public keys not being verified in the security module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44094: Type confusion vulnerability in the distributed file module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2023-44095: Use-After-Free (UAF) vulnerability in the surfaceflinger module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability can cause system crash.

CVE-2023-44096: Vulnerability of brute-force attacks on the device authentication module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44097: Vulnerability of the permission to access device SNs being improperly managed

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44100: Broadcast permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44102: Broadcast permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability can cause the Bluetooth function to be unavailable.

CVE-2023-44103: Out-of-bounds read vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44104: Broadcast permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44105: Vulnerability of permissions not being strictly verified in the window management module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-44106: API permission management vulnerability in the Fwk-Display module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-44108: Type confusion vulnerability in the distributed file module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2023-44109: Clone vulnerability in the huks ta module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44110: Out-of-bounds access vulnerability in the audio module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-44111: Vulnerability of brute-force attacks on the device authentication module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44114: Out-of-bounds array vulnerability in the dataipa module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44116: Vulnerability of access permissions not being strictly verified in the APPWidget module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause some apps to run without being authorized.

CVE-2023-44118: Vulnerability of undefined permissions in the MeeTime module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

CVE-2023-44119: Vulnerability of mutual exclusion management in the kernel module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2023-44109: October

Categories: Android
Categories: News
Tags: Google

Tags:  Android

Tags:  Qualcomm

Tags:  webp

Tags:  ARM Mali

Tags:  cve-2023-4863

Tags:  cve-2023-4211

Tags:  cve-2023-33106

Tags:  cve-2023-33107

Tags:  cve-2023-22071

Tags:  cve-2023-33063

Tags:  2023-10-006

Tags:  patch level

Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited.



(Read more...)




The post Update your Android devices now! Google patches two actively exploited vulnerabilities appeared first on Malwarebytes Labs.

Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited. Google's security bulletin notes that there are indications that these two vulnerabilities may be under limited, targeted exploitation.

If your Android phone is at patch level 2023-10-06 or later then the two issues discussed below have been fixed. The updates have been made available for Android 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

The Cybersecurity & Infrastructure Security Agency (CISA) has already added these two actively exploited vulnerabilities to its catalog of known to be exploited vulnerabilities. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities before a given due date. CVE-2023-4863 was due on October 4, 2023 and CVE-2023-4211 has to be patched by October 24, 2023. 

You can find your device's Android version number, security update level, and Google Play system level in your **Settings** app. You'll get notifications when updates are available for you, but you can also manually check for updates.

For most phones it works like this: Under **About phone** or **About device** you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs listed as actively exploited are:

CVE-2023-4863: a heap buffer overflow in libwebp which affects many applications that use this library to encode and decode images in the WebP format, allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

This is a vulnerability that impacts many applications, which we have discussed at length in our article explaining how it was used to install spyware. The vulnerability is patched if your phone is at patch level 2023-10-05.

But the next one isn’t. Your phone needs to be at patch level 2023-10-06 for that.

CVE-2023-4211: a local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory. This vulnerability affects multiple versions of Arm Mali GPU drivers which are used in a broad range of Android device models, including on Android phones developed by Google, Samsung, Huawei, and Xiaomi, as well as in some Linux devices. A GPU is a specific type of chip mostly used for graphics-related tasks, such as rendering images and videos, but also for resource-heavy calculations, such as training artificial intelligence and crypto-mining.

Normally Google uses two different patch levels for each round of updates, so Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. The higher the patch level number, the more vulnerabilities will be fixed. In this round the only difference between patch levels 2023-10-05 and 2023-10-06 is the important patch for CVE-2023-4211. 

In its own October security bulletin, chip manufacturer Qualcomm said that there are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation. It is unclear when patches for these issues will be included in security updates by the respective vendors.

Let’s hope that all these patches reach our devices soon.

**We don’t just report on Android security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today.

Update your Android devices now! Google patches two actively exploited vulnerabilities

DoS vulnerability in the PMS module. Successful exploitation of this vulnerability may cause the system to restart.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the August 2023 Android security bulletin:

Critical: CVE-2023-21282, CVE-2023-21273

High: CVE-2023-21287, CVE-2023-21267, CVE-2023-21281, CVE-2023-21285, CVE-2023-21286, CVE-2023-21288, CVE-2023-21292, CVE-2023-21283, CVE-2023-21272, CVE-2023-21275, CVE-2023-21268, CVE-2023-21290, CVE-2023-21265

Medium: CVE-2023-21649

Low: none

Already included in previous updates: CVE-2023-21240, CVE-2023-21192, CVE-2023-21187, CVE-2023-21237

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2022-46316: Input verification vulnerability in the fingerprint module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect confidentiality, integrity, and availability.

CVE-2022-48606: Stability-related vulnerability in the binder background management and control module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-39408: DoS vulnerability in the PMS module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2023-39409: DoS vulnerability in the PMS module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2023-41293: Data security classification vulnerability in the DDMP module

Severity: High

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2023-41296: Vulnerability of missing authorization in the kernel module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect integrity and confidentiality.

CVE-2023-41297: Vulnerability of defects introduced in the design process in the HiviewTunner module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause service hijacking.

CVE-2023-41298: Vulnerability of permission control in the window module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2023-41299: DoS vulnerability in the PMS module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2023-41300: Vulnerability of parameters not being strictly verified in the PMS module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2023-41301: Vulnerability of unauthorized API access in the PMS module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-41302: Redirection permission verification vulnerability in the home screen module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-41303: Command injection vulnerability in the distributed file system module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause variables in the sock structure to be modified.

CVE-2023-41305: Vulnerability of 5G messages being sent without being encrypted in a VPN environment in the SMS message module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2023-41306: Vulnerability of mutex management in the bone voice ID trusted application (TA) module

Severity: Medium

Affected versions: EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause the bone voice ID feature to be unavailable.

CVE-2023-41307: Memory overwriting vulnerability in the security module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-41308: Screenshot vulnerability in the input module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2023-41309: Permission control vulnerability in the MediaPlaybackController module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-41310: Keep-alive vulnerability in the sticky broadcast mechanism

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause malicious apps to run continuously in the background.

CVE-2023-41311: Permission control vulnerability in the audio module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may cause an app to be activated automatically.

CVE-2023-41312: Permission control vulnerability in the audio module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may cause several apps to be activated automatically.

CVE-2023-4565: Broadcast permission control vulnerability in the framework module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause the hotspot feature to be unavailable.

CVE-2023-39408: September

Plus: MGM hackers hit more than just casinos, Microsoft researchers accidentally leak terabytes of data, and China goes on the PR offensive over cyberespionage.

Mandiant researchers published findings this week about a newly revealed Chinese espionage operation that used Sogu malware to spy on the African operations of both European and US organizations. The campaign is significant for the scope of its victims, but also because attackers used a classic malware distribution method: thumb drives. The attacks are the latest example of China's aggressive global espionage—but read on for statements from the Chinese government about alleged US cyberattacks and digital espionage.

After Elon Musk claimed recently that primates used in Neuralink implant research were close to death anyway, a WIRED investigation this week revealed grisly details about the truth of their deaths that appear to dispute the characterization that the animals were all terminally ill. The revelations come as Neuralink is pursuing human trials of its brain-chip implants. 

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Kia and Hyundai cars have been plagued for years by vulnerabilities—and simply missing protective features—in their antitheft systems that make the cars far too easy to steal. Recently, the companies have been attempting to distribute updates to remedy the situation, but the flaws have already resulted in skyrocketing car theft rates around the United States. New data from 10 US cities compiled by Motherboard through public records requests illustrate the extent of the problem. In Chicago, for example, average car theft rates of about 850 per month are now consistently up to more than 2,000 per month. Similarly, before 2021, rates in Denver used to hover around 800 stolen cars per month. They now typically top 1,000. Atlanta's car theft rates have doubled from their old level before 2022 of fewer than 250 incidents per month. 

“Stolen car rates are not up by 10 percent, or 20 percent, or even 50 percent,” the report says. “In many cities, they are up hundreds of percentage points, Motherboard has found. Rates of stolen Kias and Hyundais in particular are up thousands of percentage points.”

Over the past two weeks, MGM Resorts has been dealing with the very public fallout of a recent cyberattack. Caesars Entertainment also admitted last week that it recently suffered a data breach and faced criminal extortion demands. Adding to the larger context, an executive for the enterprise identity management firm Okta said this week that the same gang that targeted MGM and Caesars, known as Alphv, also hacked three other targets since August as part of the same spree.

That makes five Okta customers in total that were affected. David Bradbury, Okta's chief security officer, would not name the other three victims but said they are in the technology, retail, and manufacturing sectors. Bradbury said Okta is cooperating with law enforcement investigations into the hacks.

Wiz security firm published findings this week that Microsoft AI researchers unintentionally exposed 38 terabytes of private data on the developer platform GitHub while attempting to open-source a repository of training data. The leak included internal Microsoft data, including more than 30,000 Teams messages, passwords, and private keys. The exposure occurred because of a misconfiguration in how the researchers used an Azure Storage data-sharing feature.

This week, officials from China's Ministry of State Security publicly accused the US government of breaching and monitoring Huawei's networks in a 2009 espionage attack. The statement also alleges that the US has conducted “tens of thousands of malicious network attacks” on Chinese institutions and organizations to surveil networks and steal data. Furthermore, the officials claimed that the US government has planted backdoors in software and hardware produced around the world to enable global surveillance. China has accused the US of cyberespionage before—and certainly conducts its share of surveillance and data exfiltration operations. Meanwhile, Huawei has been a particular lightning rod in longtime disputes between the US and China about digital and technical security.

The Shocking Data on Kia and Hyundai Thefts in the US

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

Thursday, September 21, 2023 14:09

Welcome to this week’s edition of the Threat Source newsletter.

As a former reporter, I’ve seen my fair share of press releases. But one from a threat actor was definitely a new one for me last week.

ALPHV (aka BlackCat) publicly took credit for a massive cyber attack against MGM, a resort, gambling and sports betting company best known for its massive casinos. The attack took down slot machines, guest reservation systems, and more belonging to MGM, and the company is still feeling the effects as of Tuesday.

And despite every major news outlet reporting on the incident, the actor wanted to take messaging into its own hands and “clarify” what happened exactly. Attackers have occasionally posted updates and pseudo-press releases in the past, but this particular press release on ALPHV’s leak site (don’t worry I didn’t actually link to their site) was peak unintentional comedy to me.

For starters, the actor blamed MGM for not using their official communication channels to contact them to start negotiating a ransom payment:

“As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present,” the statement reads.

They also said that, hypothetically, if personally identifiable information \*had\* been stolen, they would allow the website Have I Been Pwned? to responsibly disclose this information, even though they stopped short of saying they stole PII.

Lastly, they took a victory lap by saying several news outlets had reported false information, claimed attribution too early, or made ALPHV seem too basic of a threat actor because the tactics, techniques and procedures “used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.”

The entire statement reads as someone who thinks they’ve done nothing wrong, and certainly written to intimate that the situation could have gone much more smoothly had MGM just reached out to the threat actor early on through what is deemed as the appropriate channels and negotiated early.

So, it makes me wonder what ALPHV thinks they’re gaining from all this? Part of me wonders if they were upset that public reporting had connected the attack to a group called “'Scattered Spider” and they wanted to make sure everyone knew who deserved the credit. Or it could have been that they wanted to turn up the heat on MGM representatives and apply public pressure to hopefully get them to communicate and settle on a ransom payment.

It reads as if ALPHV really wants to come across as the “good guys” in this case, but I’m not sure who outside of dark web circles would be willing to feel sorry for them.

**The one big thing**

Talos researchers recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. We also discovered a sister implant to “HTTPSnoop” we’re naming “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. All these new tools are linked to a group we’re calling “ShroudedSnooper.”

**Why do I care?**

This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting the telecommunications sector. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data. However, since this is a new, relatively unknown group, we can’t be certain that they’ll only stick to targeting this particular field. The various malware at their disposal can leave a backdoor on infected machines for future attacks and malware installations and execute arbitrary shellcode on the infected endpoint.

**So now what?**

We found specific URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of “ews” and “autodiscover” keywords over Ports 443 and 444. The blog post has a list of these patterns so potentially affected targets can scan to see if they're infected. There is also a host of detection content available for Cisco Secure products.

**Top security headlines of the week**

**Apple released long-awaited updates to its “Lockdown Mode” with iOS 17 this week, its answer to a recent global uptick in spyware attacks.** Lockdown Mode now also works on Apple Watches, in addition to iPhones and iPads, which is notable because threat actors have increasingly started targeting Apple Watches with spyware. New features also remove geolocation information from photos when Lockdown Mode is enabled and automatically block insecure Wi-Fi networks. Apple and other cellphone manufacturers are working on addressing the use of cell site simulators, also known as “stingrays.” These fake cell base stations track phone locations and spy on calls and messages after a device connects to it. Google also announced new features earlier this year that ensure their devices’ communications are always encrypted when connecting to cell towers. (TechCrunch, Electronic Frontier Foundation)

**The U.S. Cybersecurity and Infrastructure Security Agency announced a new program offering free security scans to public water utilities and other critical infrastructure.** CISA is offering to run specialized scanners to identify a facility’s vulnerabilities and any weak configurations on internet-exposed endpoints. Then, they generate a report of any flaws or vulnerabilities found and send the plant a list of recommendations and offers for further scans to determine if the potential target has taken the appropriate steps to solve the issues. A brochure for the new program promises a “significant reduction in identified vulnerabilities in the first few months of scanning for newly enrolled water utilities.” (StateScoop, CISA)

**China’s government has accused the U.S. of a campaign to infiltrate servers belonging to tech company Huawei to conduct cyber attacks and steal information,** potentially as far back as 2009. China's Ministry of State Security on Wednesday outlined the accusations in a post on its WeChat account Wednesday. "In 2009, the Office of Tailored Access Operations started to infiltrate servers at Huawei's headquarters and continued conducting such surveillance operations," the post reads. China and the U.S. have continually launched accusations of spying on one another this year as tensions between the two nations rise. China also accused the U.S. National Security Agency of installing a backdoor tool that "runs secretly on thousands of network devices in many countries around the world” meant to steal data from other governments, including China and Russia. (Nikkei Asia, The Register)

**Can’t get enough Talos?**

*   New threat actor targets Middle Eastern telcos
*   How Cisco Talos IR helped a healthcare company quickly resolve a Qakbot attack
*   Middle East telcos targeted by new malware with suspected nation-state backing
*   APJC Monthly Talos Update

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

> _Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

> _Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 7f66d4580871e3ee6a35c8fef6da7ab26a93ba36b80279625328aaf184435efa  
**MD5:** e9a6b1346d1a2447cabb980f3cc5dd27  
**Typical Filename:** профиль 10 класс.exe  
**Claimed Product:** N/A  
**Detection Name:** Application\_Blocker

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a  
**MD5:** 200206279107f4a2bb1832e3fcd7d64c  
**Typical Filename:** lsgkozfm.bat  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::tpd

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647  
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790  
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Scar::1201

What’s the point of press releases from threat actors?

China's Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei's servers, stealing critical data, and implanting backdoors since 2009, amid mounting geopolitical tensions between the two countries.
In a message posted on WeChat, the government authority said U.S. intelligence agencies have "done everything possible" to conduct surveillance, secret theft, and intrusions on

Cyber Espionage / Spyware

China's Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei's servers, stealing critical data, and implanting backdoors since 2009, amid mounting geopolitical tensions between the two countries.

In a message posted on WeChat, the government authority said U.S. intelligence agencies have "done everything possible" to conduct surveillance, secret theft, and intrusions on many countries around the world, including China, using a "powerful cyber attack arsenal." Specifics about the alleged hacks were not shared.

It explicitly singled out the U.S. National Security Agency's (NSA) Computer Network Operations (formerly the Office of Tailored Access Operations or TAO) as having "repeatedly carried out systematic and platform-based attacks" against the country to plunder its "important data resources."

The post went on to claim that the cyber-warfare intelligence-gathering unit hacked Huawei's servers in 2009 and that it had carried out "tens of thousands of malicious network attacks" on domestic entities, including the Northwestern Polytechnical University, to siphon sensitive data, an allegation that was first leveled by China in September 2022.

Further, China's National Computer Virus Emergency Response Centre (NCVERC) is said to have isolated a spyware artifact dubbed Second Date when dealing with an incident at the public research university that's purportedly developed by the NSA and run stealthily on "thousands of network devices in many countries around the world."

Details about Second Date were previously reported by South China Morning Post and China Daily last week, describing it as a cross-platform malware capable of monitoring and hijacking network traffic as well as injecting malicious code. Germany, Japan, South Korea, India, and Taiwan are believed to be some of the countries targeted by the spyware.

"The U.S. intelligence agency has used these large-scale weapons and equipment to carry out cyber attacks and cyber espionage operations for more than ten years against China, Russia and other 45 countries and regions around the world," MSS said, adding the attacks targeted telecom, scientific research, economy, energy and military sectors.

MSS also claimed that the U.S. has forced technology companies to install backdoors in their software and equipment to conduct cyber espionage and steal data, citing examples of companies such as X-Mode Social and Anomaly Six, which have demonstrated abilities to track the mobile phones of users.

"It has long been an open secret that the United States has long relied on its technological advantages to conduct large-scale eavesdropping on countries around the world, including its allies, and carried out cyber theft activities," the MSS said, adding Russia, Iran, China, and North Korea are its main targets.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

"At the same time, the United States is trying its best to portray itself as a cyber-attack victim, inciting and coercing other countries to join the so-called 'clean network' program under the banner of maintaining network security, in an attempt to eliminate Chinese companies from the international network market."

In July 2023, after Microsoft disclosed a China-linked espionage campaign mounted by an actor codenamed Storm-0558 targeting two dozen organizations in the U.S. and Europe, China responded by calling the U.S. "the world's biggest hacking empire and global cyber thief."

The MSS made its WeChat debut on August 1, 2023, emphasizing the need to boost counter-espionage efforts and encourage citizens to report suspicious activity as well as be rewarded and protected for their contributions.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China Accuses U.S. of Decade-Long Cyber Espionage Campaign Against Huawei Servers

In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to an integer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

_Published September 5, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-09-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-09-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-09-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-35669

A-265798288

EoP

High

11, 12, 12L, 13

CVE-2023-35674

A-264029851

EoP

High

11, 12, 12L, 13

CVE-2023-35676

A-278720336

EoP

High

12, 12L, 13

CVE-2023-35687

A-245135112

EoP

High

11, 12, 12L, 13

CVE-2023-35675

A-284297711

ID

High

11, 12, 12L, 13

CVE-2023-35679

A-245137718

ID

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-35658

A-274617156

RCE

Critical

11, 12, 12L, 13

CVE-2023-35673

A-273966636

RCE

Critical

11, 12, 12L, 13

CVE-2023-35681

A-271335899

RCE

Critical

13

CVE-2023-35665

A-256819787

EoP

High

11, 12, 12L, 13

CVE-2023-35666

A-269253349

EoP

High

11, 12, 12L, 13

CVE-2023-35667

A-282932362

EoP

High

11, 12, 12L, 13

CVE-2023-35670

A-276898626

EoP

High

11, 12, 12L, 13

CVE-2023-35682

A-270152142

EoP

High

11, 12, 12L, 13

CVE-2023-35684

A-280633699

EoP

High

11, 12, 12L, 13

CVE-2023-35664

A-269270167

ID

High

12, 12L, 13

CVE-2023-35671

A-268038643

ID

High

11, 12, 12L, 13

CVE-2023-35680

A-256591023

ID

High

11, 12, 12L, 13

CVE-2023-35683

A-223793631

ID

High

11, 12, 12L, 13

CVE-2023-35677

A-280793427

DoS

High

11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

MediaProvider

CVE-2023-35670, CVE-2023-35683

**2023-09-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-09-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-28584

A-285903061  
QC-CR#3390251

High

WLAN

CVE-2023-33019

A-285903027  
QC-CR#3403638

High

WLAN

CVE-2023-33021

A-285903020  
QC-CR#3397562 \[2\]

High

Display

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-28581

A-285902431 \*

Critical

Closed-source component

CVE-2022-40534

A-288580358 \*

High

Closed-source component

CVE-2023-21646

A-271879257 \*

High

Closed-source component

CVE-2023-21653

A-271880270 \*

High

Closed-source component

CVE-2023-28538

A-280341574 \*

High

Closed-source component

CVE-2023-28549

A-280342096 \*

High

Closed-source component

CVE-2023-28573

A-285902920 \*

High

Closed-source component

CVE-2023-33015

A-285903140 \*

High

Closed-source component

CVE-2023-33016

A-285902923 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-09-01 or later address all issues associated with the 2023-09-01 security patch level.
*   Security patch levels of 2023-09-05 or later address all issues associated with the 2023-09-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-09-01\]
*   \[ro.build.version.security\_patch\]:\[2023-09-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-09-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-09-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-09-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

September 5, 2023

Bulletin Published

Tag

#huawei