[CDP-development] TLP:GREEN (Vulnerability Alert Notification) MS-ISAC 2023-117 Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Fri Oct 6 08:15:16 PDT 2023 

Good morning,

The SOC Services team is reporting on the vulnerability: MS-ISAC 2023-117 Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution.  Due to its high visibility, knowledge of the software installed in the state environment, and active exploitations, we are providing this in-depth information:

History: On October 1, 2023 and October 5, 2023 Google released updates to patch its Android operating system, and address multiple CVEs.  In particular, 2 previously disclosed CVEs were addressed which are known to be under active exploitation: CVE-2023-4211 (Medium) Arm Mali GPU Kernel Driver Use-After-Free Vulnerability and CVE-2023-4863 (High) Heap Buffer Overflow in libwebp in Multiple Web Browsers.

In addition, 3 other Critical vulnerabilities that could allow for remote code execution were addressed relating to Qualcomm components: CVE-2023-24855 is a Memory Corruption in Modem While Processing Security Related Configuration Before AS Security Exchange and is currently assigned a CVSSv3 rating of 9.8 (Critical); CVE-2023-28540 is a Cryptographic Issue in Data Modem Due to Improper Authentication During TLS Handshake and is currently assigned a CVSSv3 rating of 9.1 (Critical); and CVE-2023-33028 is a Memory Corruption in WLAN Firmware While Doing a Memory Copy of PMK Cache and is currently assigned a CVSSv3 rating of 9.8 (Critical).

Furthermore, 2 other High vulnerabilities that could allow for remote code execution were addressed: CVE-2023-21282 is a Possible Out-of-Bounds Write Due to An Incorrect Bounds Check in Media Framework and is assigned a CVSSv3 rating of 8.8 (High); and CVE-2023-21273 is a Possible Out-of-Bounds Write Due to An Incorrect Bounds Check in System and is assigned a CVSSv3 rating of 8.8 (High).

The following products are affected:

  *   Android OS with patch level prior to 2023-10-05

Patches are available from Google to fix the vulnerabilities.  The fixed versions are:

  *   Android OS with patch level 2023-10-05

Further information is available from Google and Qualcomm as published in their respective security bulletins:

  *   Android Security Bulletin-October 2023 - https://source.android.com/docs/security/bulletin/2023-10-01
  *   Qualcomm October 2023 Security Bulletin - https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2023-bulletin.html


Intelligence: As of September 11, 2023, Google is aware that CVE-2023-4863 has been exploited in the wild, and as of October 3, 2023 Google is aware that CVE-2023-4211 has been exploited in the wild.  As of October 6, 2023, Qualcomm is unaware of the 3 critical CVEs being exploited in the wild.

Workarounds:  There are no workarounds at this time.

How it works:  There is no public information about how the vulnerabilities are exploited at this time.

Post-Exploit:
Upon opening a malicious WebP image, CVE-2023-4863 could be exploited by using a heap buffer overflow in the content process allowing an attacker to perform an out-of-bounds memory write.

Upon successful exploitation of CVE-2023-4211, a local non-privileged user could make improper GPU memory processing operations to gain access to already freed memory.

No further details have been provided regarding the Qualcomm CVEs at this time and no known indicators of compromise have been publicly shared at this time.

As of October 6, 2023, the following vulnerability plugin has been released and is currently in Tenable Security Center:
Plugin
Title
Severity
182435<https://www.tenable.com/plugins/nessus/182435>
ARM Mali GPU Kernel Driver < r43p0 Improper Memory Access (CVE-2023-4211)
High

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  *   Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231006/698a6d88/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231006/698a6d88/attachment-0001.png>

More information about the CDP-development mailing list