Security News > 2020 > June > Two Critical Android Bugs Open Door to RCE
Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution on Android mobile devices.
The critical bugs exist in the Android System area, and would allow a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.
Google also patched CVE-2020-0115, an EoP bug in Android 8 to Android 10; and CVE-2020-0121, an information-disclosure bug in Android 10.
There are also two patches for the Android Media Framework, including CVE-2020-0118, which could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions; it affects Android 10.
Google also updated the advisories for two older bugs: CVE-2019-2219, affecting Framework for Android 8 to Android 10, could enable a local malicious application to bypass operating system protections that isolate application data from other applications; and an EoP vulnerability in System could enable a remote attacker to bypass user interaction requirements in order to gain access to additional permissions.
News URL
https://threatpost.com/two-critical-android-bugs-rce/156216/
Related news
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-10 | CVE-2020-0115 | Incorrect Authorization vulnerability in Google Android In verifyIntentFiltersIfNeeded of PackageManagerService.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. | 7.8 |
| 2020-06-10 | CVE-2020-0118 | Out-of-bounds Write vulnerability in Google Android 10.0 In addListener of RegionSamplingThread.cpp, there is a possible out of bounds write due to improper input validation. | 7.8 |
| 2020-06-10 | CVE-2020-0121 | Unspecified vulnerability in Google Android 10.0 In updateUidProcState of AppOpsService.java, there is a possible permission bypass due to a logic error. | 5.5 |
| 2019-12-06 | CVE-2019-2219 | Race Condition vulnerability in Google Android 10.0/9.0 In several functions of NotificationManagerService.java and related files, there is a possible way to record audio from the background without notification to the user due to a permission bypass. | 4.7 |