The signature check in the Nokia ASIK AirScale system module version 474021A.101 can be bypassed allowing an attacker to run modified firmware. This could result in the execution of a malicious kernel, arbitrary programs, or modified Nokia programs.

CVE-2022-2484

Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5st7o This account can be used locally to access the web admin interface.

Having had some time to off to mull over what to do next and attend to some other priorities I decided it was time to get back to looking at this.  

But first, I had to address the issue of having to take my internet down every time I wanted to do any prodding. So then there were two...

**Fun Party Tricks**

Of course we can't just dive straight into the hard stuff so I thought I'd take a look at what ridiculous things I could do with the Android side first.

As it's just a standard Android phone, we can use scrcpy to virtually interact with it over ADB. This doesn't really tell you anything else that you can't find via CLI.

What it does allow us to do however is install our own apps and interact with them. So naturally, I installed FlappyBird to have a go.

4 WHOLE POINTS

**I am claiming the world record for FlappyBird on a Nokia Fastmile Router.**

**Come at me.**

**Identical Super Admin Passwords**

Alright back to the serious stuff.

After receiving my second device, I noticed that the second device was on a newer firmware version with the authenticated privilege escalation vulnerability patched out.

This locks us out of the configuration backup/restore utility.

Luckily, there's a higher privileged account with the same default password that seems to be baked into every Optus shipped device.

    <WebAccount. n="WebAccount" t="staticObject">
        <Enable rw="RW" t="boolean" v="True"></Enable>
        <Alias t="string" ml="64" rw="RW" dv="cpe-NokiaAlias2" v="cpe-NokiaAlias2"></Alias>
        <Priority max="10" min="1" rw="RW" t="unsignedInt" v="1"></Priority>
        <UserName ml="64" rw="RW" t="string" v="admin"></UserName>
        <Password ml="64" rw="RW" t="string" v="7hrGZUG0NX48jHEq3+Twog==" ealgo="ab"></Password>
        <PresetPassword ml="64" rw="RW" t="string" v="7hrGZUG0NX48jHEq3+Twog==" ealgo="ab"></PresetPassword>
    </WebAccount.>

Using the same tricks from last time the password 'decrypts' to **Nq+L5st7o** with the username being admin.

At least in my case, the password I obtained from my first device also worked on my second device.

Maybe somebody should tell Optus, or maybe not because having full access to these devices is nice.

UDPATE: Informed Nokia and as of U-Boot Aug-09-2022--20:45:33 patch version 3TG00118ABGA31 this is no longer available.

UPDATE 2: This has been assigned CVE-2022-36222.

**Diving into the Firmware**

Shout out to **@neggles** for helping me through some of this.

I never did end up going through the process of dumping the Router side firmware so I might come back to do this as an exercise. In this case, I didn't end up needing to.

**Obtaining Firmware**

When the device goes to update itself, it very nicely logs the download URL for the firmware.

Sifting through my own device's logs I managed to download some firmware only to find that it's encrypted.

Luckily for us some nice person on the internet has posted a download URL for an older firmware version that isn't encrypted.

> https://whrl.pl/RgaV4d

You'll probably need to be on the Optus network somewhere to reach this:  
http://macs.optusnet.com.au/firmware/Nokia/5GGW\_D010003B37T0101E0052\_ota.tar.gz

Cracking open this older firmware file we see a couple of files. The highlighted one being relevant for the Router side with the zip file being relevant for the Android side.

Trying to unpack this file we immediately run into a hurdle, it looks like a UBI image but fails to unpack with ubidump.

Some Googling brings us to this issue which seems to be what we ran into. Several Squashfs volumes inside a UBI image.

Unpacking the squashfs volume shows us the root filesystem.

**Needle in a Haystack**

Cracking open the firmware revealed a massive attack surface to evaluate. I put together a non exhaustive list of things to look at that might help us to get root and just started working my way down the list.

*   Finding an issue with one of the CGI Scripts in the web directory
*   Reversing the jail shell /usr/sbin/vtysh
*   Reversing the configuration management utility usr/sbin/cfgmgr
*   Figure out how to repack the firmware with an entry point for us
*   Attacking the router from the Android side (that 5GCPE app on the Android side must be doing something)
    *   Storage of Android /sdcard/ is shared to the router via USB-OTG and files seem to be written there to transfer some information!
    *   There's also network connectivity as we established last time but I'm unsure if this only used for routing traffic

**CGI Scripts**

Looking at just the first point in that list, there's a sea of CGI scripts that could potentially lead us to shell access.

I had a look at a few of these and found some other vulnerabilities (that will be documented at the bottom for those interested) but quickly decided to move on from this.

**Jail Shell**

> Quick recap, in the last blog post we were able to SSH into the device by enabling the SSH user in the configuration file.
> 
> While the credentials we set in the configuration worked for SSH, they did not work for the password prompt presented when trying to use the 'shell' command at the jail shell.

Next I decided to look at the jail shell which seemed to be located at /usr/sbin/vtysh. Notably, I was interested in what was actually being checked when we were getting prompted for a password.

Opening the binary in Ghidra it become quickly apparent that the password we were getting prompted for had little to do with the one we set in the configuration. It seemed to be consisted of a group of integers that I couldn't figure out where they were set.

Ghidra Output

Reversing isn't my strong suit so I decided to move on from this as well.

**Configuration Manager**

Next I started to look into the configuration manager.

While I was looking at the CGI scripts I noticed a number of them simply took user input and passed them onto bash scripts to then perform actions.

I'm all about being as lazy as possible, so trying the easiest stuff first made sense to see if the same pattern had been used in this binary. After running strings on the binary and sifting through the results, a single line caught my eye.

Adding management users sounds like something I want to do.

In the middle of this script there's also a very interesting if statement (full script for those interested).

    if [ -e /usr/sbin/vtysh -a "$user_name" != "ONTUSER" -a "$OPID" != "0000" -a "OPID" != "9999" ]; then
       adduser -D -h ${home_dir}/${user_name} -G wheel ${user_name} -s /usr/sbin/vtysh
    else
       adduser -D -h ${home_dir}/${user_name} -G wheel ${user_name}
    fi

At this point, we know:

*   We have access to change the config of the router including managing users
*   This script is called by the Configuration Manager at some point
*   If the username == ONTUSER OR if the OperatorID == (9999 OR 1111) then users are created with the **default shell** instead of the **jail shell**
*   In the previous write-up, we found mentions of setting LimitAccount\_ONTUSER in config to false doing something

It can't possibly be that easy.

Bingo

The config ships with the "TelnetSshAccount" username of "admin". I changed this to "ONTUSER" and upon SSH we are greeted with full root access instead of a jail shell.

Config Sample

Mission accomplished.

There's tons more to look at obviously so maybe there'll be a part 3 as I'm almost certain there's another way in with such a large attack surface. For now though, I'll leave you with some of the other interesting things I noticed while looking through this device.

**Other Interesting Things****WTF Backdoor??????**

There's a telnet script in the web directory which seems to spin up a telnet server that gives shell access without authentication.

Couldn't find anywhere this gets called though. ./telnet.sh on will turn the backdoor on and ./telnet.sh st checks the status of the backdoor

**Pipe Path Traversal**

UPDATE: This has been assigned CVE-2022-36221.

The CGI script used to read the output of diagnostic pings is affected by a path traversal vulnerability.

Opening the command\_web\_app.cgi script up we see that it passes user input straight to the cat.sh script.

Ghidra Output of command\_web\_app.cgi

This script performs a check to see if the file is a pipe but otherwise just returns the contents.

The result? We have path traversal!

The usefulness of this is dependent on the existence of pipes on the router that contain sensitive information. Also the endpoint is only available as an authenticated user (albeit full admin is not required).

There's also a similar issue allowing you to check for the existence of any arbitrary directory.

CVE-2022-36222: Hacking the Nokia Fastmile: Part 2

Nokia Fastmile 3tg00118abad52 is affected by an authenticated path traversal vulnerability which allows attackers to read any named pipe file on the system.

CVE-2022-36221: Hacking the Nokia Fastmile: Part 2

Money-lending apps built using the Flutter software development kit hide a predatory spyware threat and highlight a growing trend of using personal data for blackmail.

An Android malware campaign dubbed MoneyMonger has been found hidden in money-lending apps developed using Flutter. It's emblematic of a rising tide of blackmailing cybercriminals targeting consumers — and their employers stand to feel the effects, too.

According to research from the Zimperium zLabs team, the malware uses multiple layers of social engineering to take advantage of its victims and allows malicious actors to steal private information from personal devices, then use that information to blackmail individuals.

The MoneyMonger malware, distributed through third-party app stores and sideloaded onto victims' Android devices, was built from the ground up to be malicious, targeting those in need of quick cash, according to Zimperium researchers. It uses multiple layers of social engineering to take advantage of its victims, beginning with a predatory loan scheme and promising quick money to those who follow a few simple instructions.

In the process of setting up the app, the victim is told that permissions are needed on the mobile endpoint to ensure they are in good standing to receive a loan. These permissions are then used to collect and exfiltrate data, including from the contact list, GPS location data, a list of installed apps, sound recordings, call logs, SMS lists, and storage and file lists. It also gains camera access.

This stolen information is used to blackmail and threaten victims into paying excessively high-interest rates. If the victim fails to pay on time, and in some cases even after the loan is repaid, the malicious actors threaten to reveal information, call people from the contact list, and even send photos from the device.

One of the new and interesting things about this malware is how it uses the Flutter software development kit to hide malicious code.

While the open source user interface (UI) software kit Flutter has been a game changer for application developers, malicious actors have also taken advantage of its capabilities and framework, deploying apps with critical security and privacy risks to unsuspecting victims.

In this case, MoneyMonger takes advantage of Flutter’s framework to obfuscate malicious features and complicate the detection of malicious activity by static analysis, Zimperium researchers explained in a Dec. 15 blog post.

**Risk to Enterprises Stems from Wide Range of Data Collected**

Richard Melick, director of mobile threat intelligence at Zimperium, tells Dark Reading that consumers using money lending apps are most at risk, but by the nature of this threat and how attackers steal sensitive information for blackmail, they are also putting their employers or any organization they work with at risk, too.

"It’s very easy for the attackers behind MoneyMonger to steal information from corporate email, downloaded files, personal emails, phone numbers, or other enterprise apps on the phone, using it to extort their victims," he says.

Melick says MoneyMonger is a risk to individuals and enterprises because it collects a wide range of data from the victim’s device, including potentially sensitive enterprise-related material and proprietary information.

"Any device connected to enterprise data poses a risk to the enterprise if an employee falls victim to the MoneyMonger predatory loan scam on that device," he says. "Victims of this predatory loan might be compelled to steal to pay the blackmail or not report the theft of critical enterprise data by the malicious actors behind the campaign."

Melick says that personal mobile devices represent a significant, unaddressed attack surface for enterprises. He points out that malware against mobile only continues to get more advanced, and without the threat telemetry and critical defense in place to stand up against this growing subset of malicious activity, enterprises and their employees are left at risk.

"No matter if they are corporate-owned or part of a BYOD strategy, the need for security is critical to stay ahead of MoneyMonger and other advanced threats," he says. "Education is only part of the key here and technology can fill in the gaps, minimizing the risk and attack surface presented by MoneyMonger and other threats."

It's also important to remember to avoid downloading apps from unofficial app stores; official stores, like Google Play, do have protections for users, a Google spokesperson emphasized to Dark Reading.

"None of the identified malicious apps in the report are on Google Play," he said. "Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Google Play Protect will warn users that attempt to install or launch apps that have been identified to be malicious."

**Resurgence of Banking Trojans**

The MoneyMonger malware follows the resurgence of the Android banking Trojan SOVA, which now sports updated capabilities and an additional version in development that contains a ransomware module.

Other banking Trojans have resurfaced with updated features to help skate past security, including Emotet, which re-emerged earlier this summer in a more advanced form after having been taken down by a joint international task force in January 2021.

Nokia's 2021 "Threat Intelligence Report" warned that banking malware threats are sharply increasing, as cybercriminals target the rising popularity of mobile banking on smartphones, with plots aimed at stealing personal banking credentials and credit card information.

**Blackmailing Threats Expected to Continue in 2023**

Melick points out blackmail is not new to malicious actors, as has been seen in ransomware attacks and data breaches on a global scale.

"The use of blackmail on such a personal level, targeting individual victims, though, is a bit of a novel approach that takes an investment of personnel and time," he says. "But it is paying off and based on the number of reviews and complaints around MoneyMonger and other predatory loan scams similar to this, it is only going to continue."

He predicts market and financial conditions will leave some people desperate for ways to pay bills or get extra cash.

"Just as we saw predatory loan scams rise up in the last recession," he says, "it is almost guaranteed we will see this model of theft and blackmail continue into 2023."

Blackmailing MoneyMonger Malware Hides in Flutter Mobile Apps

In findAllDeAccounts of AccountsDb.java, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-169762606

*   Docs
    *   Getting Started
    *   Security
    *   Core Topics
    *   Compatibility
    *   Android Devices
    *   Reference
*   GO TO CODE ➚

Stay organized with collections Save and categorize content based on your preferences.

_Published December 5, 2022 | Updated December 7, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-12-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-12-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-12-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android Runtime**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20502

A-222166527

ID

High

13

**Framework**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20472

A-239210579

RCE

Critical

10, 11, 12, 12L, 13

CVE-2022-20473

A-239267173

RCE

Critical

10, 11, 12, 12L, 13

CVE-2021-39617

A-175190844

EoP

High

11, 12, 12L

CVE-2021-39795

A-201667614

EoP

High

11, 12, 12L, 13

CVE-2022-20124

A-170646036

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20442

A-176094367

EoP

High

10, 11, 12, 12L

CVE-2022-20444

A-197296414 \[2\] \[3\] \[4\] \[5\]

EoP

High

11, 12

CVE-2022-20470

A-234013191

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20474

A-240138294 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20475

A-240663194

EoP

High

11, 12, 12L, 13

CVE-2022-20477

A-241611867

EoP

High

13

CVE-2022-20485

A-242702935 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20486

A-242703118 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20491

A-242703556 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20611

A-242996180

EoP

High

10, 11, 12, 12L, 13

CVE-2021-0934

A-169762606

DoS

High

10, 11, 12, 12L, 13

CVE-2022-20449

A-239701237

DoS

High

10, 11, 12, 12L, 13

CVE-2022-20476

A-240936919

DoS

High

10, 11, 12, 12L

CVE-2022-20482

A-240422263

DoS

High

12, 12L, 13

CVE-2022-20500

A-246540168

DoS

High

10, 11, 12, 12L, 13

**Media Framework**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20496

A-245242273

ID

High

12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution over Bluetooth with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20411

A-232023771 \[2\]

RCE

Critical

10, 11, 12, 12L, 13

CVE-2022-20498

A-246465319

ID

Critical

10, 11, 12, 12L, 13

CVE-2022-20469

A-230867224

RCE

High

10, 11, 12, 12L, 13

CVE-2022-20144

A-187702830 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20240

A-231496105 \[2\] \[3\] \[4\]

EoP

High

12, 12L

CVE-2022-20478

A-241764135 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20479

A-241764340 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20480

A-241764350 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20484

A-242702851 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20487

A-242703202 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20488

A-242703217 \[2\]

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20495

A-243849844

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20501

A-246933359

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20466

A-179725730 \[2\]

ID

Moderate

13

ID

High

10, 11, 12, 12L

CVE-2022-20471

A-238177877

ID

High

11, 12, 12L, 13

CVE-2022-20483

A-242459126

ID

High

10, 11, 12, 12L, 13

CVE-2022-20497

A-246301979

ID

High

12, 12L, 13

CVE-2022-20468

A-228450451

ID

Moderate

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

MediaProvider

CVE-2021-39795

Permission Controller

CVE-2021-39617, CVE-2022-20442

**2022-12-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-12-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The vulnerability in this section could lead to local information disclosure with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-23960

A-215557547  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\] \[8\] \[9\] \[10\] \[11\] \[12\] \[13\] \[14\] \[15\] \[16\] \[17\] \[18\] \[19\] \[20\] \[21\] \[22\] \[23\] \[24\] \[25\] \[26\]

ID

High

Kernel

**Imagination Technologies**

This vulnerability affects Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of this issue is provided directly by Imagination Technologies.

    

CVE

References

Severity

Subcomponent

CVE-2021-39660  

A-254742984 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

    

CVE

References

Severity

Subcomponent

CVE-2022-32594  

A-250331397  
M-ALPS07446207 \*

High

widevine

CVE-2022-32596  

A-250470698  
M-ALPS07446213 \*

High

widevine

CVE-2022-32597  

A-250470696  
M-ALPS07446228 \*

High

widevine

CVE-2022-32598  

A-250470697  
M-ALPS07446228 \*

High

widevine

CVE-2022-32619  

A-250441021  
M-ALPS07439659 \*

High

keyinstall

CVE-2022-32620  

A-250441023  
M-ALPS07541753 \*

High

mpu

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-39106  

A-252398972  
U-1830881 \*

High

kernel

CVE-2022-39131  

A-252950986  
U-1914157 \*

High

Kernel

CVE-2022-39132  

A-252951342  
U-1914157 \*

High

Kernel

CVE-2022-39133  

A-253957345  
U-1946077 \*

High

Kernel

CVE-2022-39134  

A-253333208  
U-1947682 \*

High

Kernel

CVE-2022-42754  

A-253344080  
U-1967614 \*

High

Kernel

CVE-2022-42755  

A-253957344  
U-1981296 \*

High

Kernel

CVE-2022-42756  

A-253337348  
U-1967535 \*

High

Kernel

CVE-2022-42770  

A-253978051  
U-1975103 \*

High

Kernel

CVE-2022-42771  

A-253978040  
U-1946329 \*

High

Kenel

CVE-2022-42772  

A-253978054  
U-1903041 \*

High

kernel

CVE-2022-39129  

A-252943954  
U-1957128 \*

High

Kernel

CVE-2022-39130  

A-252950982  
U-1957128 \*

High

Kernel

**Qualcomm components**

This vulnerability affects Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of this issue is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33268  

A-245992426  
QC-CR#3182085 \[2\]

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-25672  

A-231156083 \*

High

Closed-source component

CVE-2022-25673  

A-235102693 \*

High

Closed-source component

CVE-2022-25681  

A-238106628 \*

High

Closed-source component

CVE-2022-25682  

A-238102293 \*

High

Closed-source component

CVE-2022-25685  

A-235102504 \*

High

Closed-source component

CVE-2022-25689  

A-235102546 \*

High

Closed-source component

CVE-2022-25691  

A-235102879 \*

High

Closed-source component

CVE-2022-25692  

A-235102506 \*

High

Closed-source component

CVE-2022-25695  

A-235102757 \*

High

Closed-source component

CVE-2022-25697  

A-235102692 \*

High

Closed-source component

CVE-2022-25698  

A-235102566 \*

High

Closed-source component

CVE-2022-25702  

A-235102898 \*

High

Closed-source component

CVE-2022-33235  

A-245402984 \*

High

Closed-source component

CVE-2022-33238  

A-245402341 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-12-01 or later address all issues associated with the 2022-12-01 security patch level.
*   Security patch levels of 2022-12-05 or later address all issues associated with the 2022-12-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-12-01\]
*   \[ro.build.version.security\_patch\]:\[2022-12-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-12-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-12-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-12-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

December 5, 2022

Bulletin Published

1.1

December 7, 2022

Bulletin revised to include AOSP links

2.0

December 7, 2022

Revised CVE table

Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.

Last updated 2022-12-08 UTC.

CVE-2021-0934: Android Security Bulletin—December 2022  |  Android Open Source Project

In MMU_UnmapPages of the PowerVR kernel driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-243825200

_Published November 7, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-11-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-11-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-11-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-2209

A-235601882

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20441

A-238605611

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20446

A-229793943

EoP

High

10, 11

CVE-2022-20448

A-237540408

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20450

A-210065877

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20452

A-240138318

EoP

High

13

CVE-2022-20457

A-243924784

EoP

High

13

**Multiple components**

The vulnerability in this section could lead to local denial of service with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20426

A-236263294

DoS

High

10, 11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20451

A-235098883

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20454

A-242096164

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20462

A-230356196

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20463

A-231985227

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20465

A-218500036

EoP

High

10, 11, 12, 12L, 13

CVE-2022-20445

A-225876506

ID

High

10, 11, 12, 12L, 13

CVE-2022-20447

A-233604485

ID

High

13

CVE-2022-20414

A-234441463

DoS

High

10, 11, 12, 12L, 13

CVE-2022-20453

A-240685104

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

Media Framework components

CVE-2022-2209

WiFi

CVE-2022-20463

**2022-11-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-11-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2021-1050

A-243825200 \*

High

PowerVR-GPU

CVE-2021-39661

A-246824784 \*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2022-32601

A-234038598  
M-ALPS07319132 \*

High

telephony

CVE-2022-32602

A-245050053  
M-ALPS07388790 \*

High

keyinstall

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Subcomponent

CVE-2022-2984

A-244673210  
U-1901978 \*

High

Kernel

CVE-2022-2985

A-244657985  
U-1882490 \*

High

Android

CVE-2022-38669

A-244666286  
U-1883755 \*

High

Android

CVE-2022-38670

A-244674480  
U-1883755 \*

High

Android

CVE-2022-39105

A-245210875  
U-1830881 \*

High

Kernel

CVE-2022-38672

A-244684957  
U-1957128 \*

High

Kernel

CVE-2022-38673

A-246482122  
U-1957128 \*

High

Kernel

CVE-2022-38676

A-244683429  
U-1908118 \*

High

Kernel

CVE-2022-38690

A-244109033  
U-1914157 \*

High

Kernel

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2022-25724

A-238106223  
QC-CR#3090325 \[2\] \[3\]

High

Display

CVE-2022-25741

A-240972788  
QC-CR#3147273

High

WLAN

CVE-2022-25743

A-240973083  
QC-CR#3153406

High

Display

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2021-35122

A-213239915 \*

Critical

Closed-source component

CVE-2021-35108

A-209469945 \*

High

Closed-source component

CVE-2021-35109

A-209469824 \*

High

Closed-source component

CVE-2021-35132

A-213240063 \*

High

Closed-source component

CVE-2021-35135

A-213239949 \*

High

Closed-source component

CVE-2022-25671

A-231156429 \*

High

Closed-source component

CVE-2022-33234

A-240971780 \*

High

Closed-source component

CVE-2022-33236

A-240973180 \*

High

Closed-source component

CVE-2022-33237

A-240972236 \*

High

Closed-source component

CVE-2022-33239

A-240982982 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-11-01 or later address all issues associated with the 2022-11-01 security patch level.
*   Security patch levels of 2022-11-05 or later address all issues associated with the 2022-11-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-11-01\]
*   \[ro.build.version.security\_patch\]:\[2022-11-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-11-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-11-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-11-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

November 7, 2022

Bulletin Published

CVE-2021-1050: Android Security Bulletin—November 2022  |  Android Open Source Project

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published three Industrial Control Systems (ICS) advisories about multiple vulnerabilities in software from ETIC Telecom, Nokia, and Delta Industrial Automation.
Prominent among them is a set of three flaws affecting ETIC Telecom's Remote Access Server (RAS), which "could allow an attacker to obtain sensitive information and

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published three Industrial Control Systems (ICS) advisories about multiple vulnerabilities in software from ETIC Telecom, Nokia, and Delta Industrial Automation.

Prominent among them is a set of three flaws affecting ETIC Telecom's Remote Access Server (RAS), which "could allow an attacker to obtain sensitive information and compromise the vulnerable device and other connected machines," CISA said.

This includes CVE-2022-3703 (CVSS score: 9.0), a critical flaw that stems from the RAS web portal's inability to verify the authenticity of firmware, thereby making it possible to slip in a rogue package that grants backdoor access to the adversary.

Two other flaws relate to a directory traversal bug in the RAS API (CVE-2022-41607, CVSS score: 8.6) and a file upload issue (CVE-2022-40981, CVSS score: 8.3) that can be exploited to read arbitrary files and upload malicious files that can compromise the device.

Israeli industrial cybersecurity firm OTORIO has been credited with discovering and reporting the flaws. All versions of ETIC Telecom RAS 4.5.0 and prior are vulnerable, with the issues addressed by the French company in version 4.7.3.

The second advisory from CISA concerns three flaws in Nokia's ASIK AirScale 5G Common System Module (CVE-2022-2482, CVE-2022-2483, and CVE-2022-2484), which could pave the way for arbitrary code execution and stoppage of secure boot functionality. All the flaws are rated 8.4 on the CVSS severity scale.

"Successful exploitation of these vulnerabilities could result in the execution of a malicious kernel, running of arbitrary malicious programs, or running of modified Nokia programs," CISA noted.

The Finnish telecom giant is said to have published mitigation instructions for the flaws that impact ASIK versions 474021A.101 and ASIK 474021A.102. The agency is recommending that users contact Nokia directly for further information.

Lastly, the cybersecurity authority has also warned of a path traversal vulnerability (CVE-2022-2969, CVSS score: 8.1) that affects Delta Industrial Automation's DIALink products and could be leveraged to plant malicious code on targeted appliances.

The shortcoming has been addressed in version 1.5.0.0 Beta 4, which CISA said can be obtained by reaching out to Delta Industrial Automation directly or via Delta field application engineering (FAEs).

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software

Nokia ASIK AirScale System Module

Cybersecurity and telecom providers from around the world can now test their technologies and use cases in OneLayer's digital twin private network environment.

**TEL AVIV, Israel, Oct. 27, 2022 /PRNewswire/ —** OneLayer, a pioneer in securing private LTE/5G networks for enterprises, announced today the launch of one of the world's first 5G private network security labs. The lab, which will be open to the public for research purposes, acts as a digital twin to simulate specific threat scenarios posed to an enterprise network. The data collected during these simulations will help companies find the best security solutions for each organization and its needs.

Private cellular networks provide organizations with improved connectivity and increased reliability, a dedicated bandwidth with capacity and range, no lag time, and connectivity of IoT and OT devices across vast areas. As organizations increasingly adopt private networks, they must also address securing such networks, so the same standard of security applied to enterprise IP networks is addressed in the cellular domain.

The OneLayer 5G Security Lab provides a simulated environment for cyber and telecom companies to examine diverse security challenges and solutions in this domain. Using core equipment from Nokia, Druid, and Airspan, the lab can create private networks based on different types of cores, end units, and IoT devices to model different types of cyberattacks and the solutions to defend against them.

"The goal of this security lab is to provide the opportunity to test private networks and security use cases to improve the understanding of connected IoT and OT devices for continued R&D of OneLayer's private cellular security platform," said Liron Ben-Horin, VP of Systems Engineering at OneLayer. "We intend to collect and analyze data in order to profile devices and segment networks appropriately. We want to share our tools and capabilities with the private network ecosystem to foster industry collaboration. As such, we welcome any company that is researching or testing LTE/5G devices to join us on this journey at our Tel Aviv-based security lab."

"OTORIO and OneLayer have joined forces in order to leverage OneLayer's 5G Security Lab to test the integrations with various technologies and telecom systems," said Matan Dobrushin, VP Research at OTORIO. "We are excited for our mutual research collaboration to ensure the usability, efficiency and safety of OTORIO's solutions in hybrid networks."

"We are excited for the opportunity to leverage OneLayer's Security Lab and to work together to improve the cybersecurity of 5G core network devices," said Sharon Brizinov, Director of Security Research at Claroty's Team82. "The collaborations coming out of the security lab will benefit enterprise security overall as we explore the ever-growing attack surface of the Extended Internet of Things (XIoT) and these devices' connectivity within cellular networks."

"Armis recognizes the growing risk raised by private cellular networks," said Barak Hadad, Head of Research at Armis. "Together with OneLayer, we can help defenders gain full visibility to their core networks and their connected devices."

"I'm excited to see a Tel Aviv-based startup, OneLayer, investing in a unique 5G devices lab. These types of activities enable the Israeli ecosystem and cybersecurity market to ensure we are ahead of the bad guys as the network continues to evolve," said Eli Fainberg, VP Product at Forescout.

**About OneLayer**

OneLayer provides enterprise-grade security for private LTE/5G networks. Its platform and IoT security toolkit can be implemented in private cellular networks to provide better visibility, control and protection for organizations. The company was founded by world-class cybersecurity experts with a deep understanding of both cellular protocols and IoT security needs and veterans from the IDF's 8200 and 81 intelligence units. OneLayer is backed by industry-leading advisors and has partnered with experts both in the cybersecurity domain as well as the telecom industry. To learn more about OneLayer please visit https://one-layer.com/ or LinkedIn.

OneLayer Opens 5G Security Lab for Network Security Companies to Research Threats to Private Cellular Networks

In CarSettings of app packages, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220741473

_Published October 3, 2022_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2022-10-05 or later from the October 2022 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the System component that could enable local escalation of privilege in Bluetooth settings. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the October 2022 Android Security Bulletin, the October 2022 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2022-10-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-10-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**System**

The vulnerability in this section could enable local escalation of privilege in Bluetooth settings.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20429

A-220741473

EoP

High

10, 11, 12, 12L

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2022-10-01 or later address all issues associated with the 2022-10-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-10-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-10-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

October 3, 2022

Bulletin Published

Tag

#nokia