SB2019101110 - Incorrect default permissions in Google, Google Android
Published: October 11, 2019 Updated: November 3, 2019
Security Bulletin ID
SB2019101110
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Physical access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Incorrect default permissions (CVE-ID: CVE-2019-2114)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions within the Android Beam service when installing application transferred via NFC. An attacker with physical proximity to the device can transfer a malicious application to the device and trick the victim into installing it just by tapping on the notification. No additional warnings are displayed for apps, transferred via NFC beaming.
Remediation
Install update from vendor's website.