Android gets the first 8 CVE’s for 2020

Is a CVE that is affecting:

* Android 8.0

* Android 8.1

* Android 9

* Android 10

Google has published a security bulletin for Android

covering the first CVE of the year together with 8 of

the following CVE’s:

* CVE-2020–0002

* CVE-2020–0003

* CVE-2020–0004

* CVE-2020–0005

* CVE-2020–0006

* CVE-2020–0007

* CVE-2020–0008

Remote code execution CVE-2020–0002

A use after free vulnerability can be triggered

in the init_decoder function in the file “decoder/ih264d_api.c”.

Code was committed as a patch to prevent the program from possibly

using memory in a way it was not suppose to do:

@@ -963,6 +963,30 @@ /* Free any dynamic buffers that are allocated */ ih264d_free_dynamic_bufs(ps_dec); + { + UWORD8 i; + struct pic_buffer_t *ps_init_dpb; + ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0]; + for(i = 0; i < 2 * MAX_REF_BUFS; i++) + { + ps_init_dpb->pu1_buf1 = NULL; + ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; + ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb; + ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb; + ps_init_dpb++; + } + + ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0]; + for(i = 0; i < 2 * MAX_REF_BUFS; i++) + { + ps_init_dpb->pu1_buf1 = NULL; + ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; + ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb; + ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb; + ps_init_dpb++; + } + } + ps_cur_slice = ps_dec->ps_cur_slice; ps_dec->init_done = 0; @@ -1439,29 +1463,6 @@ ps_dec->ps_col_mv_base = pv_buf; memset(ps_dec->ps_col_mv_base, 0, size); - { - UWORD8 i; - struct pic_buffer_t *ps_init_dpb; - ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0]; - for(i = 0; i < 2 * MAX_REF_BUFS; i++) - { - ps_init_dpb->pu1_buf1 = NULL; - ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; - ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb; - ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb; - ps_init_dpb++; - } - - ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0]; - for(i = 0; i < 2 * MAX_REF_BUFS; i++) - { - ps_init_dpb->pu1_buf1 = NULL; - ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1; - ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb; - ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb; - ps_init_dpb++; - } - } ih264d_init_decoder(ps_dec); return IV_SUCCESS;

Link to git commit:

https://android.googlesource.com/platform/external/libavc/+/c4b0440fb7a36cd8692126404f86f1bd7a19701e

Privilege escalation vulnerabilities

CVE-2020–0001

A process function in ActivityManagerService.java is not

properly implemented making a escape of the sand boxed

environment available.

CVE-2020–0003

In Androids Install Start.java function it is possible to

a package validating check.

Link to diff

Denial of service CVE-2020–0004

A in-proper validation of the image texture size in

the function WallpaperManagerService can cause a denial of service if the file is to big. Information disclosure vulnerabilities

CVE-2020–0006

A vulnerability was found in the Near Field Communication part of the Android system. Allowing leakage of memory due to uninitialized data that is exploitable by a unprivileged third party.

CVE-2020–0007

A possible leakage of memory is possible due to uninitialized data in the Sensor.cpp part of Android. Link to patch: git commit 6c524a53c85bd0ee05d2714bc5606d62975e5819

CVE-2020–0008

A flaw in the Bluetooth part of android has been

found due to a invalid race condition which

if exploited would lead to a information disclosure.

The Mississippi State Government has gone out with a

announcement noticing these security threats

and advising to update your android device as soon

as possible.

Link here its.ms.gov

CVE-2020–0001

Android Security Bulletin January 2020

Use after free vulnerability

If you are using an rss reader you can subscribe to the blog here:

https://blog.firosolutions.com/exploits/index.xml

https://blog.firosolutions.com/posts/index.xml