Thursday, November 14, 2024

Google fixes Android kernel RCE bug under active exploit

Must read

Google released 46 fixes for Android in its August security patch batch, including one for a Linux kernel flaw in the mobile OS that can lead to remote code execution (RCE).

From the sounds of things, this hole already been spotted and exploited by spyware slingers.

This bug, tracked as CVE-2024-36971, is a use-after-free vulnerability in the networking stack that earned a high-severity 7.8-out-of-10 CVSS rating. Successful exploitation may lead to “remote code execution with System execution privileges needed,” the web giant said, meaning an attacker could gain full control over the device, potentially from across the network or internet.

And while Google never provides much detail in its monthly patch bulletins about how Android flaws are being abused in the wild, it does note that “there are indications that CVE-2024-36971 may be under limited, targeted exploitation.”

Plus, Google Threat Analysis Group’s Clément Lecigne gets credit for finding and reporting this vulnerability. This is significant because TAG tracks state-sponsored cyberspies and about 40 commercial surveillance vendors including Pegasus developer NSO Group and Predator maker Intellexa.

In 2023, TAG uncovered 25 zero-day vulnerabilities under active exploitation, and 20 of these were abused by commercial surveillance vendors.

So it’s safe to assume that while this security alert says a flaw “may be” under exploit, it likely is already being used in spyware-spreading attacks against selected targets. If you haven’t already, update any Android devices right away.

While CVE-2024-36971 is certainly the most pressing of the Android updates, don’t neglect the other fixes in this month’s batch. 

There’s a critical flaw, tracked as CVE-2024-23350, in a Qualcomm closed-source component. According to Qualcomm’s alert, this bug exists in the devices’ multi-mode call processor. And can lead to permanent denial of service.

Plus, Google addressed 11 high-severity elevation-of-privilege bugs in the Framework component that attackers can abuse without needing any additional execution privileges.

August is another month in which Google issued two sets of patches. There’s the 2024-08-01 patch level, which are Android-specific, and the 2024-08-05 patch level, which includes all of the earlier CVEs plus patches for Kernel and third-party components: Arm, Imagination Technologies, MediaTek, and Qualcomm, including that permanent one.

This latter bunch affects other vendors’ closed-source components and are described in more detail in the third-party vendor’s respective security bulletins.

And, of course, all of this is simply a preview to next week’s August Patch Tuesday event, during which Microsoft and friends will push fixes for even more CVEs, so stay tuned for that. ®

Latest article