Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 8+] Google Addresses Critical Vulnerabilities in Android

Google’s December 2023 Android security updates have addressed 85 vulnerabilities. The updates include a critical zero-click remote code execution (RCE) flaw, which is tracked as CVE-2023-40088. The vulnerability exists in Android’s System component and can be triggered without requiring additional privileges.

The most severe vulnerability in this section could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

highlights the security advisory.

Accordingly, please see below for a brief overview of the critical vulnerabilities that Google has addressed.

Critical Vulnerabilities in the System Component
  • CVE-2023-40088: An attacker can exploit this vulnerability to execute arbitrary code on the vulnerable devices without any user interaction. It is the most severe vulnerability addressed in the Google December 2023 Android security updates. At the time of writing this article, this vulnerability has no CVSS score yet.
  • CVE-2023-45866: The vulnerability allows an unauthenticated, remote user to escalate privileges without any user interaction. As of the time of writing this article, this vulnerability does not exist in the NIST Vulnerability Database yet.
Critical Vulnerabilities in the Framework Component
  • CVE-2023-40077: This vulnerability could lead to remote escalation of privilege without requiring additional execution privileges. Furthermore, user interaction is not necessary for exploitation. The vulnerability currently lacks an assigned CVSS score, at the time of composing this article.
  • CVE-2023-40076: This vulnerability could result in a local escalation of privilege, without requiring any additional execution privileges. Also, exploitation does not require user interaction. This vulnerability does not currently have an assigned CVSS score, as of the article’s writing.
Critical Vulnerability in the Qualcomm Closed-Source Components

CVE-2022-40507: This is a memory corruption issue due to double free in Core while mapping HLOS address to the list with a CVSS score of 8.4.

Vulnerabilities under Exploitation

Additionally, Google has highlighted that the following vulnerabilities might be under exploitation:

  • CVE-2023-33107: This is a Qualcomm Multiple Chipsets Integer Overflow Vulnerability with a CVSS score of 8.4.
  • CVE-2023-33106: Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability with a CVSS score of 8.4.
  • CVE-2023-33063: It is a vulnerability affecting Qualcomm multiple chipsets due to memory corruption in DSP Services during a remote call from HLOS to DSP. This vulnerability has a CVSS score of 7.8

⚠️ Please note that CISA has also added these vulnerabilities to its Known Exploited Vulnerabilities Catalog.

Call for Action

Accordingly, Android users should promptly update their software. For details about the vulnerabilities, please refer to Google’s security advisory. Additionally, we strongly recommend that users keep the Android system updates automatic.

Also, please note that this update comes shortly after a fix for a zero-day vulnerability in Chrome. Thus, it is important to closely monitor Google security updates.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.