Android March 2023 Security Update Patches 2 RCE (CVE-2023-20951 & CVE-2023-20954) bugs

CVE-2023-20951

Google has started rolling out this month’s security updates for its mobile operating system platform to address a total of 60 new security vulnerabilities affecting Android devices, 4 of which have been rated critical in severity.

The vulnerabilities affect various Android components, including the framework, system, Google Play, and kernel, as well as MediaTek, Unisoc, and Qualcomm components, including closed-source components.

Four of the critical vulnerabilities patched this month reside in System (CVE-2023-20951 & CVE-2023-20954) and Qualcomm’s closed-source components (CVE-2022-33213 & CVE-2022-33256), the most severe of which could allow a remote attacker to execute arbitrary code on a targeted device with no additional execution privileges needed. User interaction is not needed for exploitation.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” Google wrote.

CVE-2023-20951 & CVE-2023-20954 flaws were resolved as part of the 2023-03-01 security patch level, which addresses a total of 31 vulnerabilities in Framework (8), System(18), and Google Play (5).

An additional 29 vulnerabilities were resolved as part of the 2023-03-05 security patch level, in Kernel, MediaTek, Unisoc, and Qualcomm components.

According to the Android security advisory, none of the flaws addressed this month were publicly disclosed or found to be exploited in the wild. Users are strongly recommended to download the most recent Android security updates as soon as they are available in order to keep their Android devices protected against any potential attack.