Google Android Security Advisory May 2024 - 20240508001¶
Overview¶
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for privilege escalation.
Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.
What is vulnerable?¶
Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable):
Framework¶
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2024-0024 | A-293602317 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-0025 | A-279428283 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-23705 | A-293602970 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-23708 | A-293301736 | EoP | High | 12, 12L, 13, 14 |
System¶
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2024-23706 | A-328068777 | EoP | Critical | 14 |
| CVE-2024-0043 | A-295549388 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-23707 | A-316891059 | EoP | High | 14 |
| CVE-2024-23709 | A-317780080 | ID | High | 12, 12L, 13, 14 |
Kernel¶
The vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed.
| CVE | References | Type | Severity | Subcomponent |
|---|---|---|---|---|
| CVE-2023-4622 | A-299123598 | EoP | High | Unix |
Kernel LTS¶
The following kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch.
| References | Android Launch Version | Kernel Launch Version | Minimum Update Version |
|---|---|---|---|
| A-304554927 | 12 | 5.4 | 5.4.254 |
| A-304560886 | 13 | 5.15 | 5.15.123 |
| A-304560975 | 12 | 5.10 | 5.10.189 |
| A-304560987 | 13 | 5.10 | 5.10.189 |
| A-304561454 | 14 | 5.15 | 5.15.123 |
| A-304561455 | 14 | 6.1 | 6.1.43 |
Arm components¶
These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.
| CVE | References | Severity | Subcomponent |
|---|---|---|---|
| CVE-2023-6363 | A-303632069 * | High | Mali |
| CVE-2024-1067 | A-329506905 * | High | Mali |
| CVE-2024-1395 | A-329506991 * | High | Mali |
MediaTek components¶
These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.
| CVE | References | Severity | Subcomponent |
|---|---|---|---|
| CVE-2023-32871 | A-309364193 M-ALPS08355514 * | High | DA |
| CVE-2023-32873 | A-327972597 M-ALPS08583919 * | High | keyInstall |
| CVE-2024-20056 | A-327973818 M-ALPS08528185 * | High | preloader |
| CVE-2024-20057 | A-327973819 M-ALPS08587881 * | High | keyInstall |
Qualcomm components¶
These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
| CVE | References | Severity | Subcomponent |
|---|---|---|---|
| CVE-2024-21471 | A-318393843 | High | Display |
| CVE-2024-21475 | A-323919078 | High | Video |
| CVE-2024-23351 | A-323918714 | High | Display |
| CVE-2024-23354 | A-323919320 | High | Display |
Qualcomm closed-source components¶
These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.
| CVE | References | Severity | Subcomponent |
|---|---|---|---|
| CVE-2023-33119 | A-309461253 * | High | Closed-source component |
| CVE-2023-43529 | A-309460466 * | High | Closed-source component |
| CVE-2023-43530 | A-309461471 * | High | Closed-source component |
| CVE-2023-43531 | A-309461198 * | High | Closed-source component |
| CVE-2024-21477 | A-323918871 * | High | Closed-source component |
| CVE-2024-21480 | A-323918475 * | High | Closed-source component |
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):
-
Users are advised to apply appropriate patches to mitigate against potential threats.