Security News > 2020 > June > Two Critical Android Bugs Open Door to RCE
Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution on Android mobile devices.
The critical bugs exist in the Android System area, and would allow a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.
Google also patched CVE-2020-0115, an EoP bug in Android 8 to Android 10; and CVE-2020-0121, an information-disclosure bug in Android 10.
There are also two patches for the Android Media Framework, including CVE-2020-0118, which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions; it affects Android 10.
Google also updated the advisories for two older bugs: CVE-2019-2219, affecting Framework for Android 8 to Android 10, could enable a local malicious application to bypass operating system protections that isolate application data from other applications; and an EoP vulnerability in System could enable a remote attacker to bypass user interaction requirements in order to gain access to additional permissions.
News URL
https://threatpost.com/two-critical-android-bugs-rce/156216/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-06-10 | CVE-2020-0115 | Incorrect Authorization vulnerability in Google Android In verifyIntentFiltersIfNeeded of PackageManagerService.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. | 7.8 |
2020-06-10 | CVE-2020-0118 | Out-of-bounds Write vulnerability in Google Android 10.0 In addListener of RegionSamplingThread.cpp, there is a possible out of bounds write due to improper input validation. | 7.8 |
2020-06-10 | CVE-2020-0121 | Unspecified vulnerability in Google Android 10.0 In updateUidProcState of AppOpsService.java, there is a possible permission bypass due to a logic error. | 5.5 |
2019-12-06 | CVE-2019-2219 | Race Condition vulnerability in Google Android 10.0/9.0 In several functions of NotificationManagerService.java and related files, there is a possible way to record audio from the background without notification to the user due to a permission bypass. | 4.7 |