Google Patches Critical Bluetooth RCE Bug | Threatpost

Eleven critical Android bugs were patched as part of Google’s March Security Update. Three of them were tied to Android’s media framework and core system, while the others were related to faulty Qualcomm chip components.

Out of those critical bugs, Google patched three critical remote code-execution (RCE) bugs, including two critical media framework vulnerabilities (CVE-2019-1989 and CVE-2019-1990) that impact Android 7.0 (Nougat) and after.

While CVE data isn’t yet available, a technical description posted on The LineageOS Project website indicates that both of these are tied to the Android’s video-control API commands.

A third critical vulnerability (CVE-2019-2009) impacting the Android core system (version 7 and later) is meanwhile related to the Bluetooth component “l2c_lcc_proc_pdu”.

While CVE data isn’t available for this one either, technical details indicate that the bug is tied to the Android Bluetooth stack. Past attack vectors tied to “l2c_lcc_proc_pdu” have included elevation of privilege attacks via Bluetooth, caused by an out-of-bounds write flaw. This most recent bug is labeled as an RCE flaw.

Earlier this year, Google patched CVE-2018-9555, which is a nearly identical flaw in  l2c_lcc_proc_pdu (CVE-2019-2009). Google wrote: “there is a possible out-of-bounds write due to a missing bounds check. This could lead to remote escalation of privilege over Bluetooth, with no additional execution privileges needed. User interaction is not needed for exploitation.”

Also of note: Eight additional critical vulnerabilities were reported in Qualcomm components. Two of the bugs are both tied to one CVE (CVE-2017-8252). The flaw is a local “information disclosure” vulnerability in Android’s TrustZone, a special section of the Android kernel that runs its own operating system. Also tied to a single CVE (CVE-2018-11817), are two flaws related to a specialized Qualcomm chip called digital signal processor.

Information on additional Qualcomm bugs are limited, however one flaw (CVE-2018-11958) affects the Android high level operating systems (HLOS), according to the chipmaker. “Insufficient protection of keys in keypad can lead HLOS to gain access to confidential keyboard input data,” Qualcomm wrote.

Separately, Samsung patched seven critical vulnerabilities. Three patches (CVE-2019-1989, CVE-2019-1990 and CVE-2019-2009) issued by Samsung were tied to Google’s March update. The additional critical vulnerabilities patched by the Korean consumer electronics giant (CVE-2018-11262, CVE-2018-11289, CVE-2018-11820, CVE-2018-11938, CVE-2018-11945) were bugs reported by Google in its February Android Security Update.

Updates to Google Pixel and other vendor phones (Samsung, LG and others) have commenced via over-the-air updates. Source code patches for the issues meanwhile will be released to the Android Open Source Project repository in the next 48 hours, according to Google.

In all, Google reported 45 bugs in its March update with 11 ranked critical and 33 rated high. Elevation of privilege vulnerabilities dominated this month’s group, accounting for 21 identified bugs out the 45 listed.