Monday, December 23, 2024

Google fixes Android kernel zero-day exploited in targeted attacks

Must read

Image: Midjourney

Android security updates this month patch 46 vulnerabilities, including a high-severity remote code execution (RCE) exploited in targeted attacks.

The zero-day, tracked as CVE-2024-36971, is a use after free (UAF) weakness in the Linux kernel’s network route management. It requires System execution privileges for successful exploitation and allows altering the behavior of certain network connections.

Google says that “there are indications that CVE-2024-36971 may be under limited, targeted exploitation,” with threat actors likely exploiting to gain arbitrary code execution without user interaction on unpatched devices.

Clément Lecigne, a security researcher from Google’s Threat Analysis Group (TAG), was tagged as the one who discovered and reported this zero-day vulnerability.

Even though Google has yet to provide details about how the flaw is being exploited and what threat actor is behind the attacks, Google TAG security researchers frequently identify and disclose zero-days used in state-sponsored surveillance software attacks to target high-profile individuals.

“Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours,” explains the advisory.

Earlier this year, Google patched another zero-day exploited in attacks: a high-severity elevation of privilege (EoP) flaw in the Pixel firmware, tracked as CVE-2024-32896 by Google and CVE-2024-29748 by GrapheneOS (which found and reported the flaw).

Forensic companies exploited this vulnerability to unlock Android devices without a PIN and gain access to the stored data.

Google has released two patch sets for the August security updates, the 2024-08-01 and 2024-08-05 security patch levels. The latter includes all the security fixes from the first set and additional patches for third-party closed-source and Kernel components, like a critical vulnerability (CVE-2024-23350) in a Qualcomm closed-source component.

Notably, not all Android devices might need security vulnerabilities that apply to the 2024-08-05 patch level. Device vendors may also prioritize deploying the initial patch level to streamline the update process. However, this does not necessarily indicate an increased risk of potential exploitation.

It’s important to note that while Google Pixel devices receive monthly security updates immediately after release, other manufacturers may require some time before rolling out the patches. The delay is necessary for additional testing of the security patches to ensure compatibility with various hardware configurations.

Latest article