Google has removed malicious Android kernel vulnerabilities

Google has removed malicious Android kernel vulnerabilities

White House: Prepare for cryptography-cracking quantum computers
In April, CISA disclosed that this vulnerability was being actively exploited in attacks and added it to its ‘Known Exploited Vulnerabilities Catalog.’ In the May Android security bulletin, Google confirms that “CVE-2021-22600 may be under limited, targeted exploitation.” It is not clear how the vulnerability is being used in attacks, but it is likely being used to execute privileged commands and spread laterally through Linux systems in corporate networks.

Four escalation of privilege (EoP) and one information disclosure (ID) flaw in the Android Framework. Three EoP, two ID, and two denial of service (DoS) flaws in the Android System. Three EoP and one ID flaw in Kernel components. Three high-severity vulnerabilities in MediaTek components. 15 high-severity and one critical-severity flaw in Qualcomm components. Note that the fix for CVE-2021-22600 and all of those coming from third-party vendors are available on the 2022-05-05 security patch level, not on the first security patch level released on May 1, 2022.

Regardless, all these fixes are still incorporated on the first security patch level of the next month, which is to be released on June 1, 2022. If you are using Android 9 or older, this security patch does not apply to your device, and you should upgrade to a more recent Android OS version for security reasons. Those using Google Pixel devices received additional fixes this month, with one of them impacting only the most recent, Pixel 6 Pro range that uses the Titan-M chip. The most interesting two are CVE-2022-20120, a critical remote execution vulnerability impacting the bootloader, and CVE-2022-20117, a critical information disclosure bug on Titan-M.

Story Highlights

  • Google has released the second instalment of the May Android security patch, which includes a fix for an actively exploited Linux kernel vulnerability. The vulnerability, identified as CVE-2021-22600, is a privilege escalation bug in the Linux kernel that threat actors can exploit through local access. Because Android runs on a modified Linux kernel, the vulnerability affects the operating system as well. Google researchers disclosed the Linux vulnerability in January, along with a patch that was responsibly disclosed to Linux vendors. However, it took several months for Google’s Android operating system to be patched.

  • Recent Android versions (10, 11, 12) have incorporated increasingly stricter permissions, making it hard for malware to acquire the permissions needed for advanced functions. As such, turning to exploit flaws post-infection to gain elevated privileges isn’t unlikely. A second potential use for this vulnerability is for device rooting tools that users install and activate themselves to gain root privileges on the device. Here’s a summary of what else has been fixed this month: