Android security update fixes Mali GPU flaw exploited by spyware


Google has released the monthly security update for the Android platform, adding fixes for 56 vulnerabilities, five of them with a critical severity rating and one exploited since at least last December.

The new security patch level 2023-06-05 integrates a patch for CVE-2022-22706, a high-severity flaw in the Mali GPU kernel driver from Arm that Google’s Threat Analysis Group (TAG) believes it may have been used in a spyware campaign targeting Samsung phones.

“There are indications that CVE-2022-22706 may be under limited, targeted exploitation,” reads Google’s latest bulletin. CISA also highlighted the active exploitation of CVE-2022-22706 in an advisory released in late March.

With a score of 7.8 out of 10, the high-severity security issue allows non-privileged users to get write access to read-only memory pages.

According to Arm, the issue impacts the following kernel driver versions:

  • Midgard GPU Kernel Driver: All versions from r26p0 – r31p0
  • Bifrost GPU Kernel Driver: All versions from r0p0 – r35p0
  • Valhall GPU Kernel Driver: All versions from r19p0 – r35p0

Arm fixed the issue in Bifrost and Valhall GPU Kernel Driver r36p0 and in Midgard Kernel Driver r32p0, but the fix trickled into the stable version of Android only now.

It is worth noting that Samsung addressed CVE-2022-22706 in its May 2023 update. The company’s quick response to the active exploitation of the flaw is likely due to its users being explicitly targeted by the spyware campaign.

The critical-severity flaws fixed in this month’s Android update include:

  1. CVE-2023-21127 – Remote code execution flaw in Android Framework, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
  2. CVE-2023-21108 – Remote code execution flaw in Android System, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
  3. CVE-2023-21130 – Remote code execution flaw in Android System, impacting Android 13. Fixed in security patch level “2023-06-01.”
  4. CVE-2022-33257 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”
  5. CVE-2022-40529 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”

Devices running Android 10 or older are no longer supported and will not receive this security update.

Users of outdated devices should be aware of the risk of a potential impact. They should either switch to a newer, actively supported Android model or turn to a third-party Android distribution that still provides security fixes, even if these typically come with a delay.



Source link