Public Release of Exploit for Android Privilege Elevation Flaw Affecting Seven OEMs
January 31, 2024
A proof-of-concept exploit for a local privilege elevation flaw that affects a minimum of seven Android original equipment manufacturers (OEMs) has been made publicly accessible on GitHub. The exploit, however, requires local access, making it primarily useful for research purposes. The flaw, assigned the identifier CVE-2023-45779, was uncovered by Meta's Red Team X in the early part of September 2023. It was subsequently addressed in the security update released by Android in December 2023. The specifics of the flaw were not disclosed at the time to prevent potential exploitation.
The flaw exists due to insecure signing of APEX modules using test keys. This vulnerability allows potential attackers to push malicious updates to the platform components, thereby leading to local privilege elevation. The flaw, though not directly exploitable remotely, underlines the weaknesses within the Compatibility Test Suite (CTS) and the Android Open Source Project (AOSP) documentation. Google intends to address these concerns in the forthcoming Android 15 release. Devices that have been updated with the Android security patch level 2023-12-05 are protected against CVE-2023-45779.
Tom Hebb from Meta published a detailed write-up explaining that the issue arises from the signing of APEX modules using publicly accessible test keys from the AOSP. APEX modules allow OEMs to push updates to specific system components without the need for a full over-the-air (OTA) update, thereby making the update packages more streamlined and easier to test and deliver to end users. Ideally, these modules should be signed with a private key known only to the OEM, created during the build process. However, the use of the same public key found in the Android source code build tree means anyone could forge critical system component updates. These updates could provide attackers with elevated privileges on the device, bypassing existing security mechanisms and leading to full compromise.
The vulnerability, CVE-2023-45779, affects several OEMs, including ASUS, Microsoft, Nokia, Nothing, VIVO, Lenovo, and Fairphone. It is likely that multiple, if not all, models from these seven OEMs are vulnerable to CVE-2023-45779. The issue was confirmed by Fairphone in their bulletin. Hebb suggests that the reason multiple OEMs overlooked the security issue is multifaceted, including unsafe default settings in AOSP, inadequate documentation, and insufficient coverage by the CTS, which failed to detect the use of test keys in the APEX signatures.
A number of OEMs, whose device models were tested by Meta's analysts, were confirmed to be not vulnerable to CVE-2023-45779 due to their use of private keys. These include Google, Samsung, Xiaomi, OPPO, Sony, Motorola, and OnePlus. The researchers have made the exploit for CVE-2023-45779 available on GitHub. However, this does not necessarily mean that users who have not yet received a fix should be overly concerned. In order to exploit the flaw, physical access to the target device and some expertise in using 'adb shell' would typically be required. The proof-of-concept is primarily intended for research and mitigation validation. Nevertheless, there is always a chance that the exploit could be used as part of an exploit chain to elevate privileges on an already compromised device. If your Android device is running a version older than the Android security patch level 2023-12-05, it is advisable to switch to a supported distribution or upgrade to a newer model.
Latest News
- CISA Issues Warning over Actively Exploited iPhone Kernel Bug
- Critical Vulnerability in GNU C Library Could Grant Full Root Access
- Ivanti Alerts on Two New High-Severity Vulnerabilities, One Currently Under Active Exploitation
- Ivanti's Zero-Day Vulnerabilities Remain Unpatched as 'KrustyLoader' Attacks Increase
- Critical Vulnerability Exposes 45k Jenkins Servers to RCE Attacks
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.