Android April 2023 update fixes two critical RCE (CVE-2023-21085 & CVE-2023-21096) flaws
Google has started rolling out April 2023 security update for its mobile operating system platform to address a total of 69 new security vulnerabilities affecting Android devices, 6 of which have been rated critical in severity.
The vulnerabilities affect various Android components, including the framework, system, Google Play, and kernel, as well as Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components, including closed-source components.
Five of the critical vulnerabilities patched this month reside in System (CVE-2023-21085 and CVE-2023-21096) and Qualcomm’s closed-source components (CVE-2022-33231, CVE-2022-33288, CVE-2022-33289, and CVE-2022-33302), the most severe of which could allow a remote attacker to execute arbitrary code on a targeted device with no additional execution privileges needed. User interaction is not needed for exploitation.
Photo by Daniel Romero on Unsplash
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed,” Google wrote.
The flaws fixed this time are delivered via two separate security patch levels, namely 2023-04-01 and 2023-04-05. CVE-2023-21085 and CVE-2023-21096 flaws were resolved as part of the 2023-04-01 security patch level, which addresses a total of 28 CVEs in the Android system and framework.
An additional 41 vulnerabilities were resolved as part of the 2023-04-05 security patch level, in Kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components.
In this month’s security update, there is a security vulnerability in Arm that is exploited in the wild. Tracked as CVE-2022-38181 (CVSS score of 8.8), Arm Mali GPU Kernel Driver could allow a remote authenticated attacker to bypass security restrictions, caused by a use-after-free error. By making improper GPU processing operations, an attacker could exploit this vulnerability to gain access to already freed memory.
Pixel devices will receive the complete patch in an over-the-air update in the coming days, or the owners can download it directly from Google’s developer site.
Users are strongly recommended to download the most recent Android security updates as soon as they are available to keep their Android devices protected against any potential attack.
