Google Android August 2021 Security Patch Vulnerabilities: Discover and Take Remote Response Action Using VMDR for Mobile Devices

The recently released Android Security Bulletin for August 2021 addresses 36 vulnerabilities, out of which 5 are rated as critical vulnerabilities. The vulnerabilities affect open-source components such as the Android Framework, Android Media Framework, and Android System. The vulnerabilities also affect Kernel components, Widevine DRM, MediaTek, QUALCOMM components, and QUALCOMM closed-source components.

Media Framework Escalation of Privilege (EoP) and Information Disclosure (ID) Vulnerability

Google released a patch to fix a critical vulnerability (CVE-2021-0519). This vulnerability has a CVSSv3 base score of 8.4 and successful exploitation could enable a local malicious application to bypass operating system protections that isolate application data from other applications. It should be prioritized for patching. The Escalation of Privilege (EoP) affects Android versions 8.1, 9, and Information Disclosure (ID) affects Android versions 10 and 11.

QUALCOMM Component Buffer Overflow Vulnerability

Google released a patch to fix a buffer overflow critical vulnerability (CVE-2021-1972). This vulnerability has a CVSSv3 base score of 9.8, and successful exploitation of the vulnerability allows a remote attacker to execute arbitrary code on the target system, which may result in the complete compromise of the vulnerable system. It should be prioritized for patching. It affects the QUALCOMM component.

QUALCOMM Component Use-After-Free Vulnerability

Google released a patch to fix a user-after-free critical vulnerability (CVE-2021-1976). This vulnerability has a CVSSv3 base score of 9.8, and successful exploitation of the vulnerability may allow an attacker to compromise a vulnerable system. The vulnerability exists due to a use-after-free error when handling P2P device address in PD Request frame in WLAN HOST. A remote attacker can send specially crafted traffic to the system, trigger a use-after-free error and execute arbitrary code. It should be prioritized for patching. It affects the QUALCOMM component.

QUALCOMM Closed-source Components Multiple Critical Vulnerabilities

Google released a patch to fix multiple critical Integer underflow vulnerabilities (CVE-2021-1916, CVE-2021-1919, CVE-2021-1920). These vulnerabilities have a CVSSv3 base score of 9.8 and successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system. It should be prioritized for patching. It affects the QUALCOMM closed-source components.

Google fixed 9 high-severity Elevation of Privilege (EoP) vulnerabilities in Framework, Media Framework, and System. They also fixed 4 high-severity Information Disclosure (ID) vulnerabilities in Media Framework, and System.

‘The most severe of these issues is a high-security vulnerability in the Media Framework component that could enable a local malicious application to bypass operating system protections that isolate application data from other applications,’ Google explains. An attacker on successful exploitation can install programs, view, change, or delete data, or create new accounts with full user rights depending upon the privileges associated with the application.

Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices

Discover Assets Missing the Latest Android Security Patch

The first step in managing these critical vulnerabilities and reducing risk is to identify the assets. Qualys VMDR for Mobile Devices makes it easy to identify the assets missing the latest security patch. To get the comprehensive visibility of the mobile devices, you need to install Qualys Cloud Agent for Android or iOS on all mobile devices. The device onboarding process is easy, and the inventory of mobile devices is free.

Query: vulnerabilities.vulnerability.title: ‘August 2021’

Once you get the list of assets missing the latest security patch, navigate to the Vulnerability tab and apply the Group By “Vulnerabilities” to get the list of the CVEs which Google fixes in the August security patch. Qualys VMDR helps you understand what kind of risk you are taking by allowing the unpatched device to hold corporate data and connect to your corporate network.

Also, you can apply the Group By “CVE Ids” to get only the list of CVEs fixed by Google in August security updates.

QID 610357 and QID 610360 are available in signature version SEM VULNSIGS-1.0.0.44, and there is no dependency on any specific Qualys Cloud Agent version.

With the VMDR for Mobile Devices dashboard, you can track the status of the assets on which the latest security patch is missing. The dashboard will be updated with the latest data collected by Qualys Cloud Agent for Android devices.

Remote Response Action

You can perform the “Send Message” action to inform the end-user to update the security patch to the latest patch. Also, you may provide step-by-step details to update the security patch.

As of this writing, the August security patch has not been released by most of the manufacturers. For now, it has been released by Google for Pixel, Samsung, LG, and Huawei. For such manufacturers, the vulnerabilities are marked as “Confirmed” for the rest, it is marked as “Potential”. QIDs specific to individual manufacturers are 610361, 610360, 610359, and 610358 is the QID for the rest of the manufacturers. All are available in signature version SEM VULNSIGS-1.0.0.41.

We recommend updating to the latest security patch for the assets where vulnerabilities are detected as “Confirmed”. For the rest of the manufacturers, you can take appropriate action based on the asset criticality.

Get Started Now

Qualys VMDR for Mobile Devices is available free for 30 days to help customers detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions available on Google Play Store. You can try our solution by registering for the free 30-day service.

This post was first first published on Qualys Security Blog’ website by Swapnil Ahirrao. You can view it by clicking here