Android Security Bulletin Analysis (June 2022)


2022-06-01 security patch level vulnerability details

Framework

CVE-2021-39691

  • 截至发稿,该漏洞的补丁尚未上传到AOSP
  • Updated AOSP versions: 10, 11, 12
  • 致谢:Matthew Daley

CVE-2022-20006

  • 在切换用户时因为System UI主线程繁忙,导致不能及时响应PhoneWindowManager.lockNow()KeyguardViewMediator.doKeyguardTimeout()方法调用,这样会导致一个竞争窗口,使得访客用户可以切换回主用户,并可以访问主用户的内容,而不需要主用户的凭据(锁屏密码)。在低性能设备上这个竞争窗口可能长达15-30秒。缓解措施是优先考虑这两个事件确保设备尽快锁定,并且让system_server优先更新本地缓存。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Joshua Nearchos

CVE-2022-20125

  • 增加finalizeWorkProfileProvisioning接口,具体漏洞点还需要分析。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:ISMAEL AMZDAK

CVE-2022-20138

  • 截至发稿,该漏洞的补丁尚未上传到AOSP
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Yu-Cheng Lin (林禹成) (@AndroBugs)

CVE-2021-39624

  • PackageInstallerService中的空指针异常
  // Their staging dirs will be removed too
  PackageInstallerSession root = !session.hasParentSessionId()
          ? session : mSessions.get(session.getParentSessionId());
- if (!root.isDestroyed() && + if (root == null) {+     Slog.e(TAG, "freeStageDirs: found an orphaned session: "+             + session.sessionId + " parent=" + session.getParentSessionId());+ } else if (!root.isDestroyed() && 
          (!root.isStaged() || (root.isStaged() && root.isStagedSessionReady()))) 
  {
      root.abandon();
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Hongli Han (@hexb1n) and Mingjian Zhou (周明建) (@Mingjian_Zhou) of C0RE Team

Media Framework

CVE-2022-20130

  • libMpegTPDec中的transportDec_OutOfBandConfig函数拒绝非法的OutOfBandConfig并且跳过内存重分配
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

System

CVE-2022-20127

  • NFC的ce_t4t模块中存在Double Free,修改是在freebuf之后立即返回
 } else {
       GKI_freebuf(p_c_apdu);
       ce_t4t_send_status(T4T_RSP_NOT_FOUND);
+      return;
     }
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

CVE-2022-20140

  • GATT
  • Updated AOSP versions: 12, 12L

CVE-2022-20145

  • 截至发稿,该漏洞的补丁尚未上传到AOSP
  • Updated AOSP versions: 11
  • 致谢:Sze Yiu Chau, Hugo Hue, and Ka Lok Wu of The Chinese University of Hong Kong (CUHK)

CVE-2022-20124

  • 禁止非管理员用户卸载系统应用的更新(降级),主要是防止访客用户卸载系统应用的更新。
if (isSystemApp(uninstalledPs)) {
    UserInfouserInfo= mUserManager.getUserInfo(userId);
    if (userInfo == null || !userInfo.isAdmin()) {
        Slog.w(TAG, "Not removing package " + packageName
                + " as only admin user may downgrade system apps");
        EventLog.writeEvent(0x534e4554, "170646036", -1, packageName);
        return PackageManager.DELETE_FAILED_USER_RESTRICTED;
    }
}
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Pratheesh P Narayanan

CVE-2022-20126

  • 从现在开始使用BluetoothAdapter.setScanMode接口需要BLUETOOTH_PRIVILEGED特权。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Aman Pandey of bugsmirror

CVE-2022-20133

  • 从现在开始使用BluetoothAdapter.setDiscoverableTimeout接口需要BLUETOOTH_PRIVILEGED特权。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Aman Pandey of bugsmirror

CVE-2022-20134

  • 使com.android.contacts.dialog.CallSubjectDialog界面不再导出
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

CVE-2022-20135

  • GateKeeperResponse中存在Parcel序列化反序列化不匹配漏洞,当mPayload的长度是0的时候会出现问题。可使用Bundle mismatch漏洞利用方式进行利用
- if (mPayload != null) {+ if (mPayload != null && mPayload.length > 0) {
      dest.writeInt(mPayload.length);
      dest.writeByteArray(mPayload);
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Sergey Toshin (@bagipro) of Oversecured Inc.

CVE-2022-20137

  • 禁止非管理员用户分享和忘记Wi-Fi网络。
  • Updated AOSP versions: 12, 12L
  • 致谢:Lucian of OPPO Amber Security Lab

CVE-2022-20142

  • GeofenceHardwareRequestParcelable中存在Parcel序列化反序列化不匹配漏洞。可使用Bundle mismatch漏洞利用方式进行利用
  public GeofenceHardwareRequestParcelable createFromParcel(Parcel parcel) {
      int geofenceType = parcel.readInt();
-     if(geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {-         Log.e(-                 "GeofenceHardwareRequest",-                 String.format("Invalid Geofence type: %d", geofenceType));-         return null;+     if (geofenceType != GeofenceHardwareRequest.GEOFENCE_TYPE_CIRCLE) {+         throw new BadParcelableException("Invalid Geofence type: " + geofenceType);
      }
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Sergey Toshin (@bagipro) of Oversecured Inc.

CVE-2022-20144

  • EditUserPhotoController中存在越权读取文件的问题,限制只调用系统应用进行头像编辑,这个问题看起来是从CVE-2021-0952漏洞的变体分析而来。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

CVE-2022-20147

  • NFC模块nfa_dm_check_set_config中的越界读取
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab

CVE-2022-20123

  • NFC模块phNciNfc_RecvMfResp中的越界读取
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab

CVE-2022-20131

  • NFC模块nfc_ncif_proc_ee_discover_req中的越界读取
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:Zinuo Han(weibo.com/ele7enxxh) of OPPO Amber Security Lab

CVE-2022-20129

  • 在TelecomManager中每个应用只能注册最多10个联系人账户,在registerPhoneAccount函数中增加判断并更新API文档。
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

CVE-2022-20143

  • 在Zen mode中为Zen规则添加OEM可配置的限制
  • Updated AOSP versions: 10, 11, 12, 12L
  • 致谢:无

2022-06-05 security patch level vulnerability details