#VU34341 Incorrect default permissions in Google Android - CVE-2020-0215

Cybersecurity Help s.r.o.

Published: 2020-06-11 | Updated: 2020-08-08

Vulnerability identifier: #VU34341

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-0215

CWE-ID: CWE-276

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege of a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-140417248

Mitigation
Install update from vendor's website.

Vulnerable software versions

Google Android: 10

External links
https://source.android.com/security/bulletin/pixel/2020-06-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Google Android

Incorrect default permissions in Google, Google Android