A Proof-of-Concept (PoC) exploit for a local privilege elevation vulnerability impacting Android devices from at least seven Original Equipment Manufacturers (OEMs) has been made publicly available on GitHub. Identified as CVE-2023-45779, this vulnerability was discovered by Meta’s Red Team X and has been patched in the Android December 2023 security update. The flaw stems from the insecure signing of APEX modules using test keys, which could lead to malicious system updates and full device compromise.
- Vulnerability ID: CVE-2023-45779
- Affected OEMs: ASUS, Microsoft, Nokia, Nothing, VIVO, Lenovo, Fairphone, and potentially others.
Overview:Details of the Vulnerability:
- Nature of Flaw: The vulnerability is due to APEX modules being signed with publicly available test keys from the Android Open Source Project (AOSP), instead of unique private keys by the OEMs. These modules are meant for pushing updates to specific system components without a full system update, and using a public test key means that any entity could potentially push malicious updates, gaining elevated privileges on the device.
- Impact Scope: The vulnerability primarily affects devices from ASUS, Microsoft, Nokia, Nothing, VIVO, Lenovo, and Fairphone, with the possibility of broader impact across other models from these OEMs. Devices with the Android security patch level 2023-12-05 or later are secure against this vulnerability.
- Underlying Issues: The prevalence of this security lapse across multiple OEMs can be attributed to unsafe default settings in AOSP, inadequate documentation, and insufficient coverage by the Compatibility Test Suite (CTS), which failed to detect the use of test keys in APEX signatures.
Mitigation and Prevention:
- Security Patch: Devices updated to Android security patch level 2023-12-05 are not vulnerable to CVE-2023-45779. Users are strongly advised to update their devices to this patch level or later to secure their devices against this flaw.
- Vulnerable and Non-Vulnerable OEMs: While several OEMs are affected by this vulnerability, devices from Google, Samsung, Xiaomi, OPPO, Sony, Motorola, and OnePlus have been confirmed not to be vulnerable, thanks to the use of private keys for APEX module signing.
- Exploit Availability: The public release of the PoC exploit on GitHub is intended primarily for research and mitigation validation. However, users are cautioned that the exploit could potentially be used as part of an exploit chain to elevate privileges on a compromised device.
Conclusion:
The discovery and subsequent public release of the PoC exploit for CVE-2023-45779 highlight significant security oversight in the signing of APEX modules by multiple Android OEMs. While the vulnerability requires local access for exploitation and has been patched in the latest security update, the existence of the exploit in the public domain poses potential risks. Users are urged to ensure their devices are updated to the latest security patch level and to remain vigilant about the security of their devices, particularly if they are from the affected OEMs. The incident underscores the necessity for robust security practices, including the safe configuration of system updates and thorough vetting by compatibility testing suites.
