SB2022010910 - Multiple vulnerabilities in Google Android

Security Bulletin ID SB2022010910

Severity

High

Patch available

YES

Number of vulnerabilities 34

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 34 secuirty vulnerabilities.

1) Integer overflow (CVE-ID: CVE-2021-30319)

The vulnerability allows a malicious application to escalate privileges on the system.

The vulnerability exists due to integer overflow in WLAN HOST component. A malicious application can run a specially crafted WMI command on the system, trigger an integer overflow and execute arbitrary code with elevated privileges.

2) Heap-based buffer overflow (CVE-ID: CVE-2021-30311)

The vulnerability allows a malicious application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in NR5G within the Modem component. A malicious application can trigger a heap-based buffer overflow and execute arbitrary code with elevated privileges.

3) Buffer overflow (CVE-ID: CVE-2021-30308)

The vulnerability allows a malicious application to escalate privileges on the system.

The vulnerability exists due to a buffer overflow in RFA in the Modem component while printing the HARQ memory partition detail. A malicious application can trigger buffer overflow and execute arbitrary code with elevated privileges.

4) Reachable Assertion (CVE-ID: CVE-2021-30307)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of DNS response when DNS client requests with PTR, NAPTR or SRV query type within the Data Modem component. A remote attacker can send a specially crafted response to the device, trigger an assertion failure and perform a denial denial of service (DoS) attack.

5) Resource exhaustion (CVE-ID: CVE-2021-30301)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to out of memory while processing RRC and NAS OTA message in RFA within the Modem component. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

6) Type conversion (CVE-ID: CVE-2021-30300)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type conversion error in LTE within the Modem component, caused by incorrectly decoding hex data for the SIB2 OTA message and assigning a garbage value to choice when processing the SRS configuration. A remote attacker can pass specially crafted data to the system, trigger a type conversion error and perform a denial of service (DoS) attack.

7) Reachable Assertion (CVE-ID: CVE-2021-30287)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of symbols configured for PDCCH monitoring in NR5G within the Modem component. A remote attacker can send specially crafted data to the system, trigger an assertions failure and perform a denial of service (DoS) attack.

8) Input validation error (CVE-ID: CVE-2021-30285)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of memory region in Hypervisor in kernel component. A local application can lead execute arbitrary code with kernel privileges.

9) Reachable Assertion (CVE-ID: CVE-2021-30353)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a improper validation of function pointer type with actual function signature within the Audio component. A remote attacker can pass specially crafted data to the device, trigger assertion failure and perform a denial of service attack.

10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-1049)

The vulnerability allows a malicious application to read arbitrary files on the system.

The vulnerability exists due to improper permissions in the Unisoc slogmodem. A local application can read arbitrary files on the system.

11) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-0959)

The vulnerability allows a malicious application to escalate privileges on the system.

The vulnerability exists due to Android runtime does not properly impose memory restrictions. A local application can execute arbitrary code with elevated privileges.

12) Integer overflow (CVE-ID: CVE-2021-31889)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow. A remote attacker can send a specially crafted TCP packet, trigger integer overflow and cause a denial of service condition on the target system.

13) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-40148)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Modem EMM uses insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

14) Input validation error (CVE-ID: CVE-2021-31890)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the total length of a TCP payload (set in the IP header) is unchecked. A remote attacker can cause a denial of service condition on the target system.

15) Input validation error (CVE-ID: CVE-2021-31346)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the total length of an UDP payload (set in the IP header) is unchecked. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack or gain access to sensitive information on the system.

16) Input validation error (CVE-ID: CVE-2021-31345)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the total length of an UDP payload (set in the IP header) is unchecked. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack or gain access to sensitive information on the system.

17) Information disclosure (CVE-ID: CVE-2021-39633)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in OS kernel. A local application can gain unauthorized access to sensitive information on the system.

18) Race condition (CVE-ID: CVE-2021-39634)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a race condition in the OS kernel. A local application can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

19) Out-of-bounds write (CVE-ID: CVE-2020-29368)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input within the __split_huge_pmd() function in mm/huge_memory.c in the Linux kernel. A local user can abuse the copy-on-write implementation and gain unintended write access because of a race condition in a THP mapcount check.

20) Improper input validation (CVE-ID: CVE-2021-39659)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.

21) Information exposure (CVE-ID: CVE-2021-39628)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.

22) Improper input validation (CVE-ID: CVE-2021-39620)