Hurry to fix the Android vulnerability that allows the acquisition of root rights

Hurry to fix the Android vulnerability that allows the acquisition of root rights

Did you know about the existence of the Google Android Red Team? This is a group of security experts who specifically deal with the identification and analysis of critical vulnerabilities related to the operating system Android. The team works within Google by constantly searching for zero-day vulnerabilitydeveloping proof-of-concept to confirm the feasibility of exploitation and evaluate the impact on the devices, to report internally to the company the existence of the problems discovered and then proceed with their resolution.

Well, with a distinctly technical post, which we try to summarize and translate into simpler and more “affordable” terms, the Android Red Team informs of the discovery of a security vulnerabilities really heavy, present in the operating system of the green robot. He has the ID CVE-2023-20938 and can be exploited to improperly acquire i privileges Of root.

Vulnerability inAndroid Binder: why it is so dangerous

Is called Binder the main communication channel inter-process (IPC) used on Android. It is made up of bookcases userspace provided by the Android platform and a kernel driver.

All the untrusted apps are automatically executed in Android within a sandbox and most IPC communications occur via the interface offered by Binder. The process renderer of Chrome for Android uses a restrictive SELinux context, but still has access to Binder and a limited set of Android services.

SELinux on Android it implements a security model based on policies that control access to system resources and process activities. This security model limits the actions that apps can perform on the device, thus reducing the risk of system compromise through malware or other threats.

A bug in the memory management from Binder can lead to inconsistencies in reference counting (reference counting) to objects in memory. Once again, we are talking about memory security, an aspect to which most of the recently discovered vulnerabilities can be traced back.

When a process receives data from another process, the kernel must perform some translation work. Binder uses rules on how to remove objects when they are no longer in use and avoid phenomena of memory leak. In some cases, Binder brings with it pointers to objects already deleted from memory (dangling pointers): an untrusted application can thus arbitrarily access the contents of the reserved memory of the kernel. By exploiting this bug, an app could read and even modify sensitive data belonging to other apps or system components.

Risks of root privilege acquisition by unauthorized Android apps

The identifier of the serious flaw Of Android it is CVE-2023-20938: if “2023” refers to the year of discovery, why is it only being talked about now?

The reason is easy to say: the Android Red Team preferred to give colleagues all the time necessary to resolve the problem and users a wide time window to apply the corrective patches. The problem in question, in fact, has been completely resolved with the Android updates of July 2023.

However, Android devices that to date have not been updated with the most recent patches (or in any case have a Security patch level prior to July 2023) remain vulnerable.

In this video the concrete demonstration of the acquisition of root rights by exploiting the flaw in question.

The concrete risks for users

CVE-2023-20938 vulnerability identified in Android Binder, if left unresolved, exposes users to a variety of risks:

  • Privilege escalation (acquisition of root rights): Exploitation of the vulnerability allows an untrusted app installed on the device to obtain root privileges. With root privileges, a malicious app can execute kernel-level code, completely compromising the integrity and security of the device.
  • Full access to user data: With root privileges, an app could access all personal data, credentials, messages, photos, videos and other private information stored on the device, violating the user’s privacy.
  • Installation of persistent malware. An attacker could install persistent malware or rootkits that survive device reboots, permanently compromising the device until the operating system is completely reinstalled.
  • Exposure to man-in-the-disk attacks. By having complete control of the kernel, an attack could intercept and tamper with encrypted network traffic before it is decrypted by the operating system.
  • Disabling security mechanisms. An attack that exploited this vulnerability could completely disable SELinux, app isolation, and other Android security mechanisms, exposing users to additional potential attack vectors.

What to do to protect your Android devices and stored data

The first step to take to check that you are protected against the Android vulnerability in question is to check whether your device has received the security patches which resolve CVE-2023-20938.

To do this, you must access the settings, tap About your phone/tablet and check the “Android security patch level“. Devices with a patch level prior to July 2023 are considered vulnerable.

Since CVE-2023-20938 is a vulnerability to kernel level, it is also useful to check the exact version of the kernel you are using. Google researchers indicate the kernel versions vulnerable: 5.4 and 5.10. When using these versions, it is essential to ensure that you have installed the corrective patch.

Some Android device manufacturers follow their own security patch release schedules. It is useful to check the manufacturer’s website for any bulletins e updates specific security vulnerabilities related to CVE-2023-20938.

Opening image credit: – juniorbeep

Leave a Reply

Your email address will not be published. Required fields are marked *