Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Qualcomm. Show all posts
Vulnerability and Exploits
Android Security CVE vulnerability EOL Google Pixel Phones Kernel Qualcomm Vulnerability and Exploits

Google: Two Major Pixel Vulnerabilities Patched

 

Google has published updates for Android 10, 11, 12, and 12L which include Pixel security patches. The Android Security Bulletin for May offers information about security flaws could affect Android devices. 
 
The Pixel Update Bulletin offers information about security flaws and functional enhancements for concerned Pixel devices. Google Pixel phones are "pure Android" devices. The two bulletins identify significant vulnerabilities as follows : 

  • CVE-2022-20120—Bootloader [Critical] The bootloader has a remote code execution (RCE) flaw. The bootloader on Android is a software program that loads the operating system every time users turn on the phone. It can only load software which has been signed by Google by default. If users unlock the bootloader, though, it will run whatever software you specify. The precise problem hasn't been revealed yet, but based on the scale of access required to exploit it, it may be very serious.
  • CVE-2022-20117— Titan-M[Critical] Titan M has an information disclosure (ID) flaw. Titan M is a security management chip designed specifically for Pixel phones to protect the most sensitive data and os version on the device. Titan M aids the bootloader in ensuring users running the correct Android version. . However, being able to steal data from the portion which is supposed to protect the most sensitive information does not look well. 
  • CVE-2021-35090: Qualcomm[Moderate] Qualcomm chips are the most extensively used in Android smartphones. 9.3 out of 10 for CVSS. Qualcomm has recognized this race condition in Kernel as a Time-of-check Time-of-use (TOC TOU). A potential hypervisor memory corruption owing to a TOC TOU race scenario when changing address mappings was also mentioned. A TOC TOU occurs whenever a resource is tested for a specific value, such as whether or not a file exists, and then the value alters before the asset is utilized, invalidating the check's results. When multiple threads have access to shared data and attempt to update it at the same time, a race condition occurs.
  • CVE-2022-20119 Display/Graphics[High] 
  • CVE-2022-20121 USCCDMService[High] 

The most serious of these issues, according to Google, is a highly secure vulnerability in the Framework component which might lead to local elevation of privilege (EoP) with user execution rights required, although the company does not specify which of the four candidates it is. 

All problems in these bulletins are addressed in security patch versions 2022-05-05 or later for Google and other Android devices. Check and update one Android version to discover how to check a device's security patch level. Experts advise all Android users to update to the most recent version. 

This week, the Pixel 3a and Pixel 3a XL series will acquire its final security updates. When it comes to support, they then reach the End-of-Life (EOL)
Read more »
Vulnerability
40% Android Qualcomm Technology Vulnerability

40% of all Android Phones Affected by Qualcomm Snapdragon Vulnerability

 

Security scientists who believe that a weakness that can be used to insert malicious code mostly on mobile by using the Android operating system itself as a port of entry has recently been reported as a grave security flaw concerning Qualcomm mobile station modems (MSM). The impacted chip(s) would connect nearly 40% of all smartphones, such as Samsung and other OEM's high-end phones, in the world. 

Qualcomm MSM is a 2G, 3G, 4G, and 5G-capable Chip System (SoC) used by several vendors, such as Samsung, Google, LG, OnePlus, and Xiaomi, for approximately 40 percent of cell phones. 

"If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones," as per the Check Point researchers who found the vulnerability tracked as CVE-2020-11292. 

The security vulnerability can also allow attackers to activate the SIM module used to safely store the network authentication information and contact details on mobile devices. 

The criminals have to misuse a stack overflow vulnerability in the Qualcomm MSM Interface (QMI), which is being used by the cellular processors for interface with the software stack, to exploit CVE-2020-11292 and monitor the modem and remotely repair it from the application processor.

Malicious apps could then use the loophole to mask their activities from the modem chip on its own and effectively invisibly track malicious behavior using Android security features. 

"Going forward, our research can hopefully open the door for other security researchers to assist Qualcomm and other vendors to create better and more secure chips, helping us foster better online protection and security for everyone." 

Following the study, Qualcomm produced security patches to resolve the security problem CVE-2020-11292 and delivered them to all affected vendors in December 2020, two months later. Qualcomm's priorities are the availability of solutions supporting comprehensive safety and privacy. While in December 2020, Qualcomm Technologies provided OEMs with updates and they encourage end-users to upgrade their devices when patches are available. 

As Qualcomm sent the CVE-2020-11292 patches to OEMs last year, it ought to be safe against efforts to jeopardize any modernized devices for Android users with newer devices often receiving security and system updates. Unfortunately, it might not be that lucky for all those who didn't upgrade to a new smartphone promoting newer Android launches over the last few years. 

Given the reality, about 19% of all Android devices run Android Pie 9.0 (launched in August 2018) and over 9% Android 8.1 Oreo (launched in December 2017) as per the Stat Counter data. 

Last year Qualcomm rectified the Digital Signal Processor Chip (DSP), which allows attackers to monitor smartphones, spy on the users, and build immovable malware which can avoid detection, with much more vulnerabilities that could impact Snapdragon. 

KrØØk was also repaired by Qualcomm in July 2020, a security bug that can be used to decipher certain WPA 2 encrypted wireless network packets. In 2019, yet another bug was fixed which enabled access to sensitive data and two faults in the SoC WLAN firmware that permitted over the air compromise of the modem and kernel.
Read more »
Subscribe to: Posts (Atom)