Main Vulnerability Database SB2017071733

SB2017071733 - Permissions, Privileges, and Access Controls in Google, Google Android

Published: July 17, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017071733

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Physical access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-10398)

The vulnerability allows a local privileged user to execute arbitrary code.

Android 6.0 has an authentication bypass for attackers with root and physical access. Cryptographic authentication tokens (AuthTokens) used by the Trusted Execution Environment (TEE) are protected by a weak challenge. This allows adversaries to replay previously captured responses and use the TEE without authenticating. All apps using authentication-gated cryptography are vulnerable to this attack, which was confirmed on the LG Nexus 5X.

Remediation

Install update from vendor's website.

References

https://homepages.staff.os3.nl/~delaat/rp/2015-2016/p30/report.pdf