Critical Android Vulnerabilities Allow Attacker to Execute Code Remotely

During March monthly patch cycle, Google fixed several critical vulnerabilities in Android that could allow remote attackers to take control of devices. A total of 38 vulnerabilities have been resolved this month , six of which have been identified as critical.

The most dangerous vulnerability according to Google is CVE-2021-0397, which is located in the System part of Android. This vulnerability allows an attacker to execute arbitrary code in the context of a privileged process through a "specially prepared transmission". Further details about the attack vector or vulnerability have not been provided by Google, except that it has been fixed in Android 8.1, 9, 10 and 11.

In addition to vulnerabilities in its own Android code, Google also resolves vulnerabilities in parts of chipset manufacturers that Android uses with the monthly pattern order. This concerns companies such as Broadcom, MediaTek and Qualcomm. This month, five vulnerabilities in Qualcomm's software have been patched that have been rated critical.

These are CVE-2020-11192 , CVE-2020-11204 , CVE-2020-11218 , CVE-2020-11227, and CVE-2020-11228 . Of these vulnerabilities, CVE-2020-11192 and CVE-2020-11227 are identified as the most dangerous. It concerns a buffer overflow and an ' improper validation of array index ' in the "data modem" software. The vulnerabilities allow an attacker to remotely execute code on vulnerable devices. The vulnerabilities have been assessed on a scale of 1 to 10 with regard to impact with a 9.8.

Patch level

Google works with so-called patch levels, where a date indicates the patch level. Devices that receive the March updates will have '2021-03-01' or '2021-03-05' as the patch level. Manufacturers who want their devices to get this patch level should in this case add all updates from the March Android bulletin to their own updates and then roll them out to their users. The updates have been made available for Android 8.1, 9, 10 and 11.

According to Google, manufacturers of Android devices were informed about the vulnerabilities now fixed and have been able to develop updates during that time. However, that does not mean that all Android devices will receive these updates. Some devices are no longer supported with updates from the manufacturer or the manufacturer releases the updates at a later time.

Previous Post Next Post