Security News > 2020 > June > Two Critical Android Bugs Open Door to RCE
Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution on Android mobile devices.
The critical bugs exist in the Android System area, and would allow a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.
Google also patched CVE-2020-0115, an EoP bug in Android 8 to Android 10; and CVE-2020-0121, an information-disclosure bug in Android 10.
There are also two patches for the Android Media Framework, including CVE-2020-0118, which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions; it affects Android 10.
Google also updated the advisories for two older bugs: CVE-2019-2219, affecting Framework for Android 8 to Android 10, could enable a local malicious application to bypass operating system protections that isolate application data from other applications; and an EoP vulnerability in System could enable a remote attacker to bypass user interaction requirements in order to gain access to additional permissions.
News URL
https://threatpost.com/two-critical-android-bugs-rce/156216/
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-10 | CVE-2020-0115 | Incorrect Authorization vulnerability in Google Android In verifyIntentFiltersIfNeeded of PackageManagerService.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. | 7.8 |
| 2020-06-10 | CVE-2020-0118 | Out-of-bounds Write vulnerability in Google Android 10.0 In addListener of RegionSamplingThread.cpp, there is a possible out of bounds write due to improper input validation. | 7.8 |
| 2020-06-10 | CVE-2020-0121 | Unspecified vulnerability in Google Android 10.0 In updateUidProcState of AppOpsService.java, there is a possible permission bypass due to a logic error. | 5.5 |
| 2019-12-06 | CVE-2019-2219 | Race Condition vulnerability in Google Android 10.0/9.0 In several functions of NotificationManagerService.java and related files, there is a possible way to record audio from the background without notification to the user due to a permission bypass. | 4.7 |