[ad_1]
Google has released the second part of the May Android security patch, which includes a fix for an actively exploited Linux kernel vulnerability.
The flaw, tracked as CVE-2021-22600, is a privilege escalation bug in the Linux kernel that threat actors can exploit through local access. Since Android uses a modified Linux kernel, the vulnerability also affects the operating system.
Google researchers disclosed the Linux vulnerability in January and also introduced a fix that was responsibly disclosed to Linux vendors. However, it has taken a few months to fix this vulnerability in Google’s own Android operating system.
In April, CISA disclosed that this vulnerability was being actively exploited in attacks and added it to its ‘Catalog of Known Exploited Vulnerabilities’. In the May Android Security Bulletin, Google confirms that “CVE-2021-22600 may be under limited and targeted exploitation.”
It is unclear how the vulnerability is used in the attacks, but it is likely to be used to execute privileged commands and spread laterally through Linux systems on corporate networks.
Recent versions of Android (10, 11, 12) have introduced increasingly strict permissions, making it difficult for malware to acquire the necessary permissions for advanced features. As such, it is not unlikely to resort to exploiting post-infection flaws to gain elevated privileges.
A second potential use of this vulnerability is for device rooting tools that users install and activate to gain root privileges on the device.
Here is a summary of what else has been fixed this month:
- Four Escalation of Privilege (EoP) and One Information Disclosure (ID) Flaws in the Android Framework
- Three EoP failures, two ID failures, and two Denial of Service (DoS) failures on the Android system
- Three EoPs and one ID failure in Kernel components
- Three high-severity vulnerabilities in MediaTek components
- 15 high severity and one critical severity defects in Qualcomm components
Note that the fix for CVE-2021-22600 and all fixes from third-party vendors are available at security patch level 2022-05-05, not the first security patch level released on May 1, 2020. 2022.
Regardless, all of these fixes are still incorporated in next month’s first security patch level, which will be released on June 1, 2022.
If you are using Android 9 or earlier, this security patch does not apply to your device and you must update to a newer version of Android OS for security reasons.
Those using Google Pixel devices received additional fixes this month, with one of them affecting only the latest Pixel 6 Pro range that uses the Titan-M chip.
The two most interesting are CVE-2022-20120, a critical remote execution vulnerability affecting the bootloader, and CVE-2022-20117, a critical information disclosure bug in Titan-M.
[ad_2]