CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker.

This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.



**CleverTap Cordova Plugin**

  

**👋 Introduction**

The CleverTap Cordova Plugin for Mobile Customer Engagement and Analytics solutions.

For more information check out our website and documentation.

To get started, sign up here.

**✅ Supported Versions**

*   CleverTap Android SDK version 4.6.6
*   CleverTap iOS SDK version 4.2.2

**🚀 Installation and Quick Start**

To install CleverTap for Cordova, follow the steps mentioned below:

When you create your CleverTap account, you will also get a -Test account. Use the -Test account for development and the main account for production.

**Install the Plugin**

Grab the Account ID and Token values from your CleverTap Dashboard -> Settings.

**For Android _Important_**

Starting with v2.0.0, the plugin uses FCM rather than GCM. To configure FCM, add your google-services.json to the root of your cordova project **before you add the plugin**.  
The plugin uses an after plugin add hook script to configure your project for FCM.  
If the google-services.json file is not present in your project when the script runs, FCM will not be configured properly and will not work.

**Using Cordova**

# ensure npm is installed: npm -g install npm
cordova plugin add https://github.com/CleverTap/clevertap-cordova.git --variable CLEVERTAP\_ACCOUNT\_ID="YOUR CLEVERTAP ACCOUNT ID" --variable CLEVERTAP\_TOKEN="YOUR CELVERTAP ACCOUNT TOKEN"

**Using Ionic**

ionic cordova plugin add clevertap-cordova@latest --variable CLEVERTAP\_ACCOUNT\_ID="YOUR CLEVERTAP ACCOUNT ID" --variable CLEVERTAP\_TOKEN="YOUR CELVERTAP ACCOUNT TOKEN"

**For Ionic 5**

npm install @ionic-native/clevertap --save 

*   Be sure to add CleverTap as a provider in your app module.

  constructor(platform: Platform, statusBar: StatusBar, splashScreen: SplashScreen, clevertap: CleverTap) {
    platform.ready().then(() \=> {
      // Okay, so the platform is ready and our plugins are available.
      // Here you can do any higher level native things you might need.
      statusBar.styleDefault();
      splashScreen.hide();

      ...
      clevertap.setDebugLevel(2);
      clevertap.getCleverTapID()((id) \=> {console.log(id)});
      ...
    });
  }
}

**🛠 Integration**

See our Technical Documentation for Android and Technical Documentation for iOS for instructions on integrating CleverTap into your app.

**📑 Documentation & Example**

*   See our CleverTap Plugin Usage Documentation
    
*   See the included Example Cordova project for usage.
    
*   See the included Ionic Example project for usage.
    

**⁉️ Questions?**

If you have questions or concerns, you can reach out to the CleverTap support team from the CleverTap Dashboard.

**TroubleShooting Guide:** Please refer here if you are facing common integration issues.

CVE-2023-2507: GitHub - CleverTap/clevertap-cordova: CleverTap Cordova Plugin

Microsoft Edge for Android (Chromium-based) Tampering Vulnerability

CVE-2023-36888

By Habiba Rashid
Due to privacy concerns, Meta has not yet released the Threads app in EU countries, creating a loophole for criminals to upload fake versions of the app.
This is a post from HackRead.com Read the original post: Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

**Apple has removed the fake THREADS app from the European App Store, ending its top position as the number 1 iOS app until July 11, 2023, when it was reported.**

In a recent development, Apple has **taken down** a fake version of the popular Threads app from its App Store in Europe. The fake app, developed by SocialKit LTD, had been soaring up the charts of the most downloaded apps. However, thanks to the diligent work of cybersecurity firm and iOS developer **Mysk**, the fraudulent app has been exposed and removed, and the developer’s account has been suspended.

Among the apps created by SocialKit LTD that have been removed are ChatGP, SelfMe: Selfie AI Face Editor, and Remove Background Eraser, among others. The fakeThreads app had gained significant traction, particularly in Germany, the Netherlands, and Switzerland, where it had claimed the number one position in the App Store rankings.

Fake app topping in EU countries (Screenshots via Mysk – Twitter)

The original Threads app, launched by Meta as a competitor to Twitter, has garnered more than 100 million downloads worldwide since its release earlier this month. However, the app has yet to be made available in the European Union due to the bloc’s stringent privacy laws.

This absence has created an opportunity for cybercriminals to capitalize on the demand by producing counterfeit apps and employing over 700 phoney domain names in a single day, according to a **report**.

Mysk, in a tweet, highlighted the concerning statistics regarding the genuine app’s absence in the European market. They stated, “Statistically, exactly 0% of iOS users looking for Threads in the EU have downloaded the right app. If app sideloading was possible, the percentage of EU users downloading the right app would certainly be greater than 0%.”

Cybersecurity analyst Veriti warns users, especially those in Europe, to exercise caution when downloading knock-off versions of Threads, as they often serve as conduits for malware or phishing attacks. It is crucial to obtain the app from trusted sources and exercise due diligence at all times.

While the fraudulent Threads app has been removed from the European App Store, similar bogus apps have also been detected on other platforms. Before the official launch of Instagram’s Threads on July 6, several impersonating apps were circulating on the Google Play Store, prompting Google to eventually remove them.

Nevertheless, ChatGPT’s official app for iPhone has **already been released**, while its Android app could soon be available on the Google Play Store.

**RELATED ARTICLES**

1.  Google Deletes Fake BatteryBot Pro Malware App
2.  Scylla Ad Fraud Attack on iOS Users Halted by Apple
3.  Apple removes Clearview AI iPhone app from App Store
4.  Apple removes anti-virus apps from store for “stealing data”
5.  Google removes ClearURLs Chrome extension from app store

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Fake THREADS App Climbs to Number 1 Spot on Apple Store in Europe

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

Thursday, July 13, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.

At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.

Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.

The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.

I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”

Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.

**The one big thing**

Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.

**Why do I care?**

This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.

**So now what?**

Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.

**Top security headlines of the week**

The **list of companies affected by the massive MOVEit mass hack continues to grow,** and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)

With Meta’s new microblogging platform **Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies.** Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)

Despite major efforts from international governments and the private sector to combat ransomware, **payments to threat actors are set to hit a new record in 2023.** A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)

**Can’t get enough Talos?**

*   Cisco Talos Reports Microsoft Windows Policy Loophole Being Exploited by Threat Actor
*   Hackers target Chinese-speaking Microsoft users with ‘RedDriver’ browser hijacker
*   Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders
*   The growth of commercial spyware based intelligence providers without legal or ethical supervision
*   Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

QR codes are relevant again for everyone from diners to threat actors

**According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of availability (A:L)? What does that mean for this vulnerability?**

The performance can be interrupted and/or reduced, but the attacker cannot fully deny service.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

\*\* RESERVED \*\* This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

Assigning CNA

N/A

Date Record Created

**20230627**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230627)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-36888: Microsoft Edge for Android (Chromium-based) Tampering Vulnerability

In notification access permission dialog box, malicious application can embedded a very long service label that overflow the original user prompt and possibly contains mis-leading information to be appeared as a system message for user confirmation.



_Published July 5, 2023_

The Android Automotive OS (AAOS) Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2023-07-05 or later from the July 2023 Android Security Bulletin in addition to all issues in this bulletin.

We encourage all customers to accept these updates to their devices.

The issue in this bulletin is a high security vulnerability in the Packages component that could allow a malicious application to embed a service label that overflow the original user prompt and possibly contain mis-leading information as a system message for user confirmation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

**Announcements**

*   In addition to the security vulnerabilities described in the July 2023 Android Security Bulletin, the July 2023 Android Automotive OS Update Bulletin also contains patches specifically for AAOS vulnerabilities as described below.

**2023-07-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Packages**

The vulnerability in this section could allow a malicious application to embed a service label that overflow the original user prompt and possibly contain mis-leading information as a system message for user confirmation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21260

A-259384309

EoP

High

11, 12, 12L, 13

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

*   Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-07-01\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-07-01 security patch level. Please see this article for more details on how to install security updates.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

July 5, 2023

Bulletin Published

CVE-2023-21260: Android Automotive OS Update Bulletin—July 2023

In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.



_Published July 5, 2023 | Updated July 10, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-07-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-07-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could allow possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20918

A-243794108 \[2\] \[3\]

EoP

High

11, 12, 12L, 13

CVE-2023-20942

A-258021433 \[2\] \[3\]

EoP

High

12, 12L, 13

CVE-2023-21145

A-265293293

EoP

High

11, 12, 12L, 13

CVE-2023-21245

A-222446076

EoP

High

11, 12, 12L, 13

CVE-2023-21251

A-204554636

EoP

High

11, 12, 12L, 13

CVE-2023-21254

A-254736794

EoP

High

13

CVE-2023-21257

A-257443065

EoP

High

13

CVE-2023-21262

A-279905816

EoP

High

12, 12L, 13

CVE-2023-21238

A-277740848

ID

High

11, 12, 12L, 13

CVE-2023-21239

A-274592467

ID

High

12, 12L, 13

CVE-2023-21249

A-217981062

ID

High

13

CVE-2023-21087

A-261723753

DoS

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21250

A-261068592

RCE

Critical

11, 12, 12L, 13

CVE-2023-2136

A-278113033

RCE

High

13

CVE-2023-21241

A-271849189

EoP

High

11, 12, 12L, 13

CVE-2023-21246

A-273729476

EoP

High

11, 12, 12L, 13

CVE-2023-21247

A-277333781

EoP

High

12, 12L, 13

CVE-2023-21248

A-277333746

EoP

High

12, 12L, 13

CVE-2023-21256

A-268193384

EoP

High

13

CVE-2023-21261

A-271680254

ID

High

11, 12, 12L, 13

CVE-2023-20910

A-245299920 \[2\]

DoS

High

11, 12, 12L, 13

CVE-2023-21240

A-275340417

DoS

High

11, 12, 12L, 13

CVE-2023-21243

A-274445194

DoS

High

11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

WiFi

CVE-2023-20910, CVE-2023-21240, CVE-2023-21243

**2023-07-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-07-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-42703

A-253167854  
Upstream kernel

EoP

High

MemoryManagement

CVE-2023-21255

A-275041864  
Upstream kernel

EoP

High

Binder

**Kernel components**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Subcomponent

CVE-2023-25012

A-268589017  
Upstream kernel \[2\] \[3\] \[4\]

EoP

High

HID

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

   

CVE

References

Severity

Subcomponent

CVE-2021-29256

A-283489460\*

High

Mali

CVE-2022-28350

A-226921651\*

High

Mali

CVE-2023-28147

A-274005916 \*

High

Mali

CVE-2023-26083

A-272073598\*

Moderate

Mali

**Imagination Technologies**

This vulnerability affects Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of this issue is provided directly by Imagination Technologies.

   

CVE

References

Severity

Subcomponent

CVE-2021-0948

A-281905774\*

High

PowerVR-GPU

**MediaTek components**

These vulnerabilities affect MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

   

CVE

References

Severity

Subcomponent

CVE-2023-20754

A-280380543  
M-ALPS07563028 \*

High

keyinstall

CVE-2023-20755

A-280374982  
M-ALPS07510064 \*

High

keyinstall

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-21672

A-276751075  
QC-CR#3313322

High

Audio

CVE-2023-22386

A-276750584  
QC-CR#3355665 \[2\]

High

WLAN

CVE-2023-22387

A-276750306  
QC-CR#3356023 \[2\] \[3\] \[4\]

High

Kernel

CVE-2023-24851

A-276751076  
QC-CR#3359589 \[2\] \[3\]

High

WLAN

CVE-2023-24854

A-276750639  
QC-CR#3366343 \[2\]

High

WLAN

CVE-2023-28541

A-276750665  
QC-CR#3144133

High

WLAN

CVE-2023-28542

A-276750246  
QC-CR#3104318

High

WLAN

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Subcomponent

CVE-2023-21629

A-264414032\*

Critical

Closed-source component

CVE-2023-21631

A-264415234\*

High

Closed-source component

CVE-2023-22667

A-276750583\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-07-01 or later address all issues associated with the 2023-07-01 security patch level.
*   Security patch levels of 2023-07-05 or later address all issues associated with the 2023-07-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-07-01\]
*   \[ro.build.version.security\_patch\]:\[2023-07-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-07-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-07-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-07-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

July 5, 2023

Bulletin published

1.1

July 10, 2023

Bulletin revised to include AOSP links

CVE-2023-21256: Android Security Bulletin—July 2023

In ft_open_face_internal of ftobjs.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.



)\]}' { "commit": "d45f0e49ab54065eb72d92aa3cc5f2152b0910b7", "tree": "234ad317e206c974e924b6e8391f37f236de846a", "parents": \[ "3416d942a1d2940c6875f540a404045b5c761d66" \], "author": { "name": "Werner Lemberg", "email": "wl@gnu.org", "time": "Sat Mar 19 06:40:17 2022 +0100" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu May 11 18:39:17 2023 +0000" }, "message": "DO NOT MERGE - Cherry-pick two upstream changes\\n\\nThis cherry picks following two changes:\\n\\n0c2bdb01a2e1d24a3e592377a6d0822856e10df2\\n22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5\\n\\nBug: 271680254\\nTest: N/A\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4ffa271ab538f57b65a65d434a2df9d3f8cd2f4a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8abb5b963d8f3bac3224c09edff6dcbbd11bf508)\\nMerged-In: I42469df8e8b07221d64e3f8574c4f30110dbda7e\\nChange-Id: I42469df8e8b07221d64e3f8574c4f30110dbda7e\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "883f1a8970c65ed9258fbb808a900208b62cc03b", "old\_mode": 33188, "old\_path": "src/base/ftobjs.c", "new\_id": "46baf5fed652302b63a3ad6392698c527dbe9e49", "new\_mode": 33188, "new\_path": "src/base/ftobjs.c" } \] }

CVE-2023-21261

In startInput of AudioPolicyInterfaceImpl.cpp, there is a possible way of erroneously displaying the microphone privacy indicator due to a race condition. This could lead to false user expectations. User interaction is needed for exploitation.



)\]}' { "commit": "2c8973c39478cd3c8cf11d9f27cc0556a106d006", "tree": "63d403875e757bdc50dc63382303d1111ff61a80", "parents": \[ "80e4a9f6dcde1ef5b775816865299718c3373934" \], "author": { "name": "Atneya Nair", "email": "atneya@google.com", "time": "Wed May 10 17:26:30 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Tue May 23 17:23:31 2023 +0000" }, "message": "Force unsilence record clients on startInput\\n\\nWe call startRecording unconditionally in startInput, so we must\\nupdate the client state to be unsilenced (since we are treating as\\nsuch). We subsequently re-update the silence state (with the client\\nmarked as active to dispatch ops) in updateUidStates\_l.\\n\\nThis fixes an issue where we call startRecording for a silenced client,\\nthen call it again when it moves to unsilenced when the client is active.\\nSince startRecording is ref-counted, this leaves the client in the\\nrecording state leading to incorrect appop attributions.\\n\\nBug: 279905816\\nBug: 281485019\\nTest: Manual verification of repro cases + verbose log analysis\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e7720b379bfaba648ab6d85c4c2df6f03ec854d3)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2951ad10a6641f9b3554d674877ad314e8cc011f)\\nMerged-In: I31d50457ca8adae577407a28d4d4c0e8582bac5d\\nChange-Id: I31d50457ca8adae577407a28d4d4c0e8582bac5d\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "49224c5bb0c9897ba558fda22b9db2e1cb0595a1", "old\_mode": 33188, "old\_path": "services/audiopolicy/service/AudioPolicyInterfaceImpl.cpp", "new\_id": "5dd9b8cb2f1e1cecee337c2315ddbe469a983031", "new\_mode": 33188, "new\_path": "services/audiopolicy/service/AudioPolicyInterfaceImpl.cpp" } \] }

Tag

#android