SB2021030210 - Multiple vulnerabilities in Google Android

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021030210

SB2021030210 - Multiple vulnerabilities in Google Android

Published: March 2, 2021

Security Bulletin ID SB2021030210
Severity
High
Patch available
YES
Number of vulnerabilities 36
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 72% Low 28%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 36 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2021-0394)

The vulnerability allows a local application to gain access to potentially sensitive information.

The vulnerability exists due to unspecified error in system component in Google Android. A local application can gain access to sensitive data on the system.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-0392)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists within system component in Google Android due to improperly imposed security restrictions. A local application can execute arbitrary code on the system within the context of a privileged process.


3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-0390)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists within system component in Google Android due to improperly imposed security restrictions. A local application can execute arbitrary code on the system within the context of a privileged process.


4) Input validation error (CVE-ID: CVE-2021-0396)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the system component in Google Android. A remote attacker can execute arbitrary code on the system.


5) Input validation error (CVE-ID: CVE-2021-0393)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the system component in Google Android. A remote attacker can execute arbitrary code on the system.


6) Input validation error (CVE-ID: CVE-2021-0397)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the system component in Google Android. A remote attacker can execute arbitrary code on the system.


7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-0398)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists within Android framework due to improperly imposed security restrictions. A local application with privileged access to gain access to sensitive data.


8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-0391)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists within Android framework due to improperly imposed security restrictions. A local application with privileged access to gain access to sensitive data.


9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-0395)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists within Android runtime due to improperly imposed security restrictions. A local application can execute arbitrary code on the system within the context of a privileged process.


10) Heap-based buffer overflow (CVE-ID: CVE-2017-14491)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error in dnsmasq.c file when processing DNS replies. A remote unauthenticated attacker can send specially crafted DNS packets to the affected service, trigger heap-based buffer overflow by 2 bytes and crash the service or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


11) Input validation error (CVE-ID: CVE-2020-11299)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


12) Input validation error (CVE-ID: CVE-2020-11226)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


13) Input validation error (CVE-ID: CVE-2020-11222)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


14) Input validation error (CVE-ID: CVE-2020-11221)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


15) Input validation error (CVE-ID: CVE-2020-11220)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


16) Input validation error (CVE-ID: CVE-2020-11199)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


17) Input validation error (CVE-ID: CVE-2020-11198)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


18) Input validation error (CVE-ID: CVE-2020-11195)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


19) Input validation error (CVE-ID: CVE-2020-11194)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


20) Input validation error (CVE-ID: CVE-2020-11190)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


21) Input validation error (CVE-ID: CVE-2020-11189)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


22) Input validation error (CVE-ID: CVE-2020-11188)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


23) Input validation error (CVE-ID: CVE-2020-11186)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


24) Input validation error (CVE-ID: CVE-2020-11178)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


25) Input validation error (CVE-ID: CVE-2020-11171)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


26) Input validation error (CVE-ID: CVE-2020-11166)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


27) Input validation error (CVE-ID: CVE-2020-11165)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


28) Input validation error (CVE-ID: CVE-2020-11228)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


29) Input validation error (CVE-ID: CVE-2020-11227)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


30) Input validation error (CVE-ID: CVE-2020-11218)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


31) Input validation error (CVE-ID: CVE-2020-11204)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


32) Input validation error (CVE-ID: CVE-2020-11192)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to unspecified error within the Qualcomm closed-source component, included into the Google Android OS. A remote attacker can use this vulnerability to execute arbitrary code on the system.


33) Buffer overflow (CVE-ID: CVE-2020-11223)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the camera component in Qualcomm chipsets. A local user can run a specially crafted program to trigger buffer overflow and execute arbitrary code with elevated privileges.


34) Use-after-free (CVE-ID: CVE-2020-11309)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in GPU driver while mapping the user memory to GPU memory in Qualcomm chipsets. A local user can run a specially crafted program to escalate privileges on the system.


35) Improper Validation of Array Index (CVE-ID: CVE-2020-11308)

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to boundary error in bootloader in Qualcomm chipsets when trying to convert ASCII string to Unicode string if the actual size is more than required. An attacker with physical access to the device can trigger buffer overflow during the boot process of the device and gain unauthorized access to the system.


36) Use-after-free (CVE-ID: CVE-2020-11290)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the display component in Qualcomm chipsets in msm ioctl events due to race between the ioctl register and deregister events. A local user can run a specially crafted program to escalate privileges on the system.


Remediation

Install update from vendor's website.

References