Feb.’s security update for the Android mobile OS includes a Qualcomm flaw rated critical, with a CVSS score of 9.8.
Google patched 5 critical bugs in its Android operating system as part of its Feb. Security Bulletin. 2 of the flaws were remote code execution vulnerabilities found within the Android media framework & system.
3 additional critical Qualcomm bugs were reported by Google & patched by Qualcomm – part of a separate security bulletin disclosure. One of those flaws (CVE-2020-11163) has a Common Vulnerability Scoring System (CVSS) rating of 9.8 out of 10. The bug is linked to the wireless local area network (WLAN) chip used for Wi-Fi communications.
Google patched 22 vulnerabilities altogether in the Android OS –15 of which included elevation-of-privilege (EOP) –class bugs. Another 22 security flaws were addressed by Qualcomm & impacted a range of device functions such as Wi-Fi radio, camera & device displays.
Patch Cadence / Disclosure
Over-the-air updates to the Android operating system and chipset firmware will be given to devices over the following days & weeks. Google’s own Pixel-device family typically receives the updates 1st with other device manufacturer handsets following.
The technical details of the patched vulnerabilities are often not released until a majority of effected handsets have been patched.
The worst of the critical bugs in the Android OS is a security vulnerability in the Media Framework component that allows for remote code execution (RCE), enabling a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process, according to Google.
The bug is tracked as CVE-2021-0325, & received a “critical” rating on Android 8.1 & 9 but a “high” rating on Android 10, 11 and 12, the company commented.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform & service mitigations are turned off for development purposes or if successfully bypassed,” says the security bulletin.
The patch itself will be delivered in 2 parts, the 1st of which patches 20 vulnerabilities in the Android OS and the 2nd which address 23 flaws found in the Android kernel & assorted components from Qualcomm, according to Google.
Remote Code Execution Bugs
Also included in the update are patches for 2 additional bugs in the Media Framework, 1 tracked as CVE-2021-0332 that allows for privilege elevation on Android 10 & 11.
Another critical RCE bug, CVE-2021-0326, was found in the System component & could enable a remote attacker to use “a specially crafted transmission to execute arbitrary code within the context of a privileged process,” according to Google. It has been updated for versions 8.1, 9,10 & 11 of the OS.
5 extra vulnerabilities patched in the update for Android System all include EOP capability & have been updated for all versions of the OS from 8.1 upwards, the company stated.
The update also patches 10 bugs found in Android Framework, 9 of which include EOP capability & affect various versions of the OS. All of the Framework vulnerabilities received a “high” rating, according to the advisory.
Qualcomm Bugs Patched Too
The other 3 bugs in the update with “critical” ratings affect Qualcomm components in Android. The most serious, based on public information, is tracked as CVE-2020-11272 (CVSS score 9.8) & affects the WLAN component.
Qualcomm describes the bug as an “improper validation of array index in data modem” flaw.
It offered additional limited details including that the bug can be abused by an attacker should they trigger a “buffer overflow while updating ikev2 parameters.” Internet Key Exchange (IKEv2) is the protocol used to set up a security association in the IPsec protocol suite, according to a technical description.
The 2 others– CVE-2020-11163 & CVE-2020-11170—affected Qualcomm closed-source components found in the OS.
The Android Kernel, Google Play system, & Android runtime all got 1 patch each in the update for bugs rated respectively as “high.”
In Jan. Google also addressed 43 bugs in Android, including 2 critical bugs–one of which was found in Android System & allowed remote attackers to execute arbitrary code.
Currently, there is no evidence that any of the vulnerabilities patched in the Feb. update are being actively exploited in the wild, says a post on the update by the Centre for Internet Security (CIS).
CIS recommended that Android users apply the Android updates provided by Google or their mobile carriers to vulnerable systems “immediately after proper testing.”
The centre also reminded users to only download applications from trusted vendors in the Google Play Store & also to avoid visiting untrusted websites or following links provided by unknown or untrusted sources.