SB2024050707 - Multiple vulnerabilities in Google Android
Published: May 7, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 26 secuirty vulnerabilities.
1) Improper Access Control (CVE-ID: CVE-2024-23351)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics Linux. A local application can execute arbitrary code.
2) Buffer overflow (CVE-ID: CVE-2024-21480)
The vulnerability allows a remote attacker to read and manipulate data.
The vulnerability exists due to improper input validation in Audio. A remote attacker can read and manipulate data.
3) Buffer over-read (CVE-ID: CVE-2024-21477)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
4) Access of Uninitialized Pointer (CVE-ID: CVE-2023-43531)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in SPS Applications. A local application can execute arbitrary code.
5) Integer overflow (CVE-ID: CVE-2023-43530)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in HLOS. A local application can read and manipulate data.
6) Reachable Assertion (CVE-ID: CVE-2023-43529)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Data Modem. A remote attacker can perform a denial of service (DoS) attack.
7) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2023-33119)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Hypervisor. A local application can execute arbitrary code.
8) Use After Free (CVE-ID: CVE-2024-23354)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics Linux. A local application can execute arbitrary code.
9) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2024-21475)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Video. A local application can execute arbitrary code.
10) Use-after-free (CVE-ID: CVE-2023-4622)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the unix_stream_sendpage() function in af_unix component. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
11) Use After Free (CVE-ID: CVE-2024-21471)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics Linux. A local application can execute arbitrary code.
12) Out-of-bounds write (CVE-ID: CVE-2024-20057)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within keyInstall. A local privileged application can execute arbitrary code.
13) Improper input validation (CVE-ID: CVE-2024-20056)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to an insecure default value within preloader. A local privileged application can execute arbitrary code.
14) Out-of-bounds write (CVE-ID: CVE-2023-32873)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within keyInstall. A local privileged application can execute arbitrary code.
15) Unchecked Error Condition (CVE-ID: CVE-2023-32871)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to an incorrect status check within DA. A local application can execute arbitrary code.
16) Use-after-free (CVE-ID: CVE-2024-1395)
The vulnerability allows a local user to escalate privileges on the system.
17) Use-after-free (CVE-ID: CVE-2024-1067)
The vulnerability allows a local user to escalate privileges on the system.
The
vulnerability exists due to a use-after-free error within the Mali GPU
kernel driver on Armv8.0 cores. A local user can trigger a use-after-free error and
execute arbitrary code with elevated privileges.
18) Use-after-free (CVE-ID: CVE-2023-6363)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the Mali GPU kernel driver. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
19) Information exposure (CVE-ID: CVE-2024-23709)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
20) Improper input validation (CVE-ID: CVE-2024-23705)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
21) Improper input validation (CVE-ID: CVE-2024-23707)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
22) Improper input validation (CVE-ID: CVE-2024-0043)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
23) Improper input validation (CVE-ID: CVE-2024-23706)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
24) Improper input validation (CVE-ID: CVE-2024-0025)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
25) Improper input validation (CVE-ID: CVE-2024-23708)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
26) Improper input validation (CVE-ID: CVE-2024-0024)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
Remediation
Install update from vendor's website.
References
- https://source.android.com/docs/security/bulletin/2024-05-01
- https://android.googlesource.com/platform/external/sonivox/+/3f798575d2d39cd190797427d13471d6e7ceae4c
- https://android.googlesource.com/platform/frameworks/base/+/032bee6dc118ce1cc3fde92463b2954c1450f2e8
- https://android.googlesource.com/platform/packages/apps/Settings/+/f1d0079c91734168c150f839168544f407b17b06
- https://android.googlesource.com/platform/packages/modules/Permission/+/8141e8f4dd77b9f8fb485e23ddf028c57fcd4fca
- https://android.googlesource.com/platform/packages/modules/HealthFitness/+/6e6896c3fd8139779ff8d51a99ee06667e849d87
- https://android.googlesource.com/platform/frameworks/base/+/d49662560e366dbf69bf7d59d00e73905d03e6d5
- https://android.googlesource.com/platform/frameworks/base/+/0c095c365ede36257e829769194f9596a598e560
- https://android.googlesource.com/platform/frameworks/base/+/6a9250ec7fc9801a883cedd7860076f42fb518ac