NLB mKlik Makedonija version 3.3.12 suffers from a remote SQL injection vulnerability.

    NLB mKlik Makedonija 3.3.12 SQL InjectionVendor: NLB Banka AD SkopjeProduct web page: https://www.nlb.mkGoogle Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.productionAffected version: 3.3.12Summary: NLB mKlik е мобилна апликација наменета за физички лица,корисници на услугите на НЛБ Банка, која овозможува преглед наразличните продукти кои корисниците ги имаат во Банката како иизвршување на различни видови на трансакции на едноставен и предсе безбеден начин во било кој период од денот. NLB mKlik апликацијатаможе да се користи со Android верзија 5.0 или понова.Desc: The mobile application or the affected API suffers from an SQLInjection vulnerability. Input passed to the parameters that areassociated to international transfer is not properly sanitised beforebeing returned to the user or used in SQL queries. This can be exploitedto manipulate SQL queries by injecting arbitrary SQL code and disclosesensitive information.Tested on: Android 13Vulnerability discovered by Neurogenesia                            @zeroscienceAdvisory ID: ZSL-2023-5797Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php23.12.2022--Incident ID: ZSL-122022-NLBTHR------------------------------DB data disclosure PoC (international transfer details/description trigger):++[select alfa1+' девизен прилив' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]-

NLB mKlik Makedonija 3.3.12 SQL Injection

The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.
Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.
Besides requesting invasive permissions to access call logs, camera, SMS messages, and external

Malware / Mobile Security

The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.

Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.

Besides requesting invasive permissions to access call logs, camera, SMS messages, and external storage, SpyNote is known for hiding its presence from the Android home screen and the Recents screen in a bid to make it difficult to avoid detection.

"The SpyNote malware app can be launched via an external trigger," F-Secure researcher Amit Tambe said in an analysis published last week. "Upon receiving the intent, the malware app launches the main activity."

But most importantly, it seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots of the phone via the MediaProjection API.

A closer examination of the malware has revealed the presence of what are called diehard services that aim to resist attempts, either made by the victims or by the operating system, at terminating it.

This is accomplished by registering a broadcast receiver that's designed to restart it automatically whenever it is about to be shut down. What's more, users who attempt to uninstall the malicious app by navigating to Settings are prevented from doing so by closing the menu screen via its abuse of the accessibility APIs.

"The SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs, information on installed applications, and so on," Tambe said. "It stays hidden on the victim's device making it challenging to notice. It also makes uninstallation extremely tricky."

"The victim is eventually left only with the option of performing a factory reset, losing all data, thereby, in the process."

The disclosure comes as the Finnish cybersecurity firm detailed a bogus Android app that masquerades as an operating system update to entice targets into granting it accessibility services permissions and exfiltrate SMS and bank data.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls

By Waqas
If you've downloaded a rocket alert app from a third-party source, ensure it's spyware-free and delete it from your device.
This is a post from HackRead.com Read the original post: Hackers Target Israeli Rocket Alert App Users with Spyware

While the identity of the culprits behind this spyware campaign remains uncertain, their tactics closely resemble those used by pro-Palestinian hackers, such as AnonGhost.

On October 9th, 2023, **Hackread.com reported** on the infiltration by pro-Palestinian hackers associated with AnonGhost into the Red Alert app, an Israeli application designed by Kobi Snir exclusively for delivering missile and rocket alerts to the Israeli population. Seizing this opportunity, AnonGhost maliciously disseminated fabricated rocket, missile, and even nuclear bomb alerts to Israelis.

Now, Cloudflare’s Cloudforce One Threat Operations Team has uncovered a similar incident, this time targeting a different rocket alert app. The researchers identified a malicious website (redalertsme) hosting a Google Android Application (APK) impersonating the legitimate RedAlert – Rocket Alerts application originally created by Elad Nava. The motive behind this malicious website was to infect unsuspecting Israeli app users with spyware.

Rocket alert apps have gained immense popularity in Israel, providing crucial alerts to citizens about incoming air strikes, which have sadly become an all too common occurrence. The misuse of these applications, as witnessed in the recent hack, has the potential to create widespread panic and further escalate an already tense situation.

According to a **blog post** by Cloudflare, the malicious domain in question offered both iOS and Android versions of the mobile application. However, while the link for the iOS version directed users to the legitimate App Store page, the Android version was a manipulated variant.

Screenshot of the malicious website (Cloudflare)

The malicious application, while retaining elements of the original code, had been equipped with the capability to collect sensitive user data. This included access to contacts, call logs, text messages, account information, SIM card details, and a list of installed applications on the victim’s device.

To make matters worse, the malicious app operated stealthily in the background, continuously harvesting data from the compromised device. The stolen information was then sent to a remote server.

Although the data was encrypted, the use of RSA encryption with a bundled public key within the app made it theoretically possible for anyone intercepting the data packets to decrypt the information.

The website hosting the spyware-infested version of RedAlert has since been taken down. However, users who may have unwittingly installed this malicious application remain at risk. They are advised to take immediate action to cleanse their devices of the spyware.

To determine whether their devices have been compromised, users are urged to check the permissions that the app has requested. Suspicious permissions include access to call logs, contacts, phone features, and SMS capabilities. These indicators should be taken seriously to ensure the security of their devices and personal information.

While malicious **AI chatbots like WormGPT and FraudGPT** assist malicious actors in generating novel ideas with user-friendly technology, traditional cyber warfare tactics, such as hackvisits, persist. Presently, both pro-Palestinian and Israeli hackvisits **are focusing on** each other’s critical ICS products.

As hackers continuously innovate, it is crucial for users to remain vigilant and informed about safeguarding themselves from the ever-evolving landscape of cyber threats.

****_RELATED ARTICLES_****

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Hamas hacked the smartphones of over 100 IDF soldiers
3.  Hamas posed as women to con IDF into downloading malware
4.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
5.  Hamas hacked phones of IDF soldiers with seductive phones of women

Hackers Target Israeli Rocket Alert App Users with Spyware

Categories: News
A list of topics we covered in the week of October 9 to October 15 of 2023



(Read more...)




The post A week in security (October 9 - October 15) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 9 - October 15)

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

Title: NLB mKlik Makedonija 3.3.12 SQL Injection  
Advisory ID: ZSL-2023-5797  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data  
Risk: (3/5)  
Release Date: 14.10.2023

**Summary**

NLB mKlik е мобилна апликација наменета за физички лица, корисници на услугите на НЛБ Банка, која овозможува преглед на различните продукти кои корисниците ги имаат во Банката како и извршување на различни видови на трансакции на едноставен и пред се безбеден начин во било кој период од денот. NLB mKlik апликацијата може да се користи со Android верзија 5.0 или понова.

**Description**

The mobile application or the affected API suffers from an SQL Injection vulnerability. Input passed to the parameters that are associated to international transfer is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and disclose sensitive information.

**Vendor**

NLB Banka AD Skopje - https://www.nlb.mk

**Affected Version**

3.3.12

**Tested On**

Android 13

**Vendor Status**

\[23.12.2022\] Vulnerability discovered.  
\[23.12.2022\] Vendor contacted.  
\[26.12.2022\] Vendor responds asking more details.  
\[28.12.2022\] Sent details to the vendor, not encrypted. Asked for confirmation and next steps.  
\[28.12.2022\] Vendor thanks us for the cooperation.  
\[06.01.2023\] Asked vendor for update and plan for fix mob/web?  
\[09.01.2023\] Vendor informs that our request has been received and will be reviewed within the responsible department. After the department responds we will be notified.  
\[20.01.2023\] Asked vendor to provide status update and confirmation and to communicate more often.  
\[23.01.2023\] Vendor informs that our request is sent to the responsible department. After the department responds we will be notified.  
\[13.10.2023\] No response from the vendor.  
\[14.10.2023\] Public security advisory released.

**PoC**

nlbmklik\_sqli.txt

**Credits**

Vulnerability discovered by Neurogenesia - <neurogenesia@segfault.mk\>

**References**

\[1\] https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production

**Changelog**

\[14.10.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

**PRESS RELEASE**

**REDWOOD CITY, Calif., October 11, 2023 –** Appdome, the mobile one-stop shop for mobile app defense, today released new threat evaluation tools inside ThreatScope™ Mobile XDR to deliver enhanced monitoring, investigation and threat evaluation for mobile apps and brands globally. Among the new tools is Threat-Inspect™, a powerful new ability to investigate, drill down, share and report on defenses, attacks and threats in the production environment. 

Appdome's ThreatScope™ Mobile XDR gathers thousands of threat signals from mobile app security, hacking, fraud, malware, cheat, and bot attacks from inside deployed mobile apps, and translates that data into brand relevant views that cyber, fraud and business teams can use to evaluate and respond to mobile threats and attacks in real time. The new evaluation tools include: (1) Threat-Inspect, for deep threat inspection, (2) Threat-Views™, for creating savable monitoring perspectives by app, device, OS, attacks and other parameters, and (3) Threat-Snapshots for ease of reporting and collaboration. ThreatScope Mobile XDR is pre-integrated with Appdome’s Cyber Defense Automation platform for Android & iOS apps for instant response to any cyber or fraud attack. 

"Real-time attack data from the native mobile app channel is full of surprises," said Tom Tovar, co-creator and CEO of Appdome. "Our new evaluation tools, including Threat-Inspect, allow even faster and deeper investigation into cyber and fraud data from the mobile channel and empower mobile brands to view this data from a business context."

The new threat evaluation features in ThreatScope Mobile XDR provide mobile businesses and brands: 

**Threat-Inspect™** allows cyber teams to pivot between "All" and “Unique” attacks as well as between attacks and “Impacted Devices,” to see the number of unique devices experiencing each attack. This new capability allows cyber responses to be tailored to the specific threat(s) in the production environment while also easing the remediation burden for mobile users and brands globally. 

A unique feature of Threat-Inspect is that it also can be used in conjunction with Appdome’s recently released Build-to-Test automated testing capability. Build2Test allows Appdome-protected mobile apps to be used inside automated mobile app testing suites, logging all security events for the developer to track and monitor. These logged security events are now visualized inside Threat-Inspect.  

**Threat-Views™** allows security teams to zoom in and monitor specific aspects of the mobile app defense, attack and threat data shown on ThreatScope. Create and save any number of Threat-Views to monitor one or more mobile applications, OS, OS Version, attack vector, mobile app release, Fusion Set (defense model), geographic region or other parameter. Threat-Views enable persistent business level viewing and analysis, which is essential for demonstrating ROI and keeping the overall mobile business safe. 

**ThreatScope Snapshots™**allow cyber teams to export and share real-time mobile app defense and attack snapshots from ThreatScope, Threat-Views or Threat-Inspect data. Use ThreatScope Snapshots to keep cyber, fraud, and business teams informed on progress in stopping security, fraud, malware, and other attacks, demonstrate compliance, or collaborate with other teams internally. 

Powering these features are new levels of metadata now available in ThreatScope. These include enhanced attack, threat and fraud metadata including geo-location, unique identifiers for threats and impacted installations as well as new options such as IP address and more. This metadata allows mobile brands to click to see all the in-production mobile apps and installations impacted by each attack or threat. Simply click on a specific attack or threat and choose the impact view needed by each business line. IP address and unique device data can now also be downloaded for offline analysis. 

"These enhancements to ThreatScope really raise the bar on actionable, interactive risk and threat intelligence for mobile apps," said Eric Newcomer, CTO and Principal Analyst at Intellyx. "You can drill down on device data to see which devices are impacted, and explore different views by geo-location, threat ID, and IP address – all in real time. And you can now capture and export the data for internal distribution."

Appdome's Threat-Scope Mobile XDR is the only XDR solution offering consolidated, real-time, cyber security, fraud, malware, cheat and bot attack and threat intelligence from in-production Android & iOS apps. With ThreatScope Mobile XDR, mobile brands, developers, cyber and fraud teams can immediately respond with updated security models, build-by-build and release-by-release and prioritize protections that have a real impact on the mobile business and users. The entire ThreatScope Mobile XDR capability inside Android & iOS apps without any burden on mobile dev teams, including no code, no SDK and no servers to deploy and, most importantly, no separate agent installed on the mobile device. 

"Once you see the data in ThreatScope Mobile XDR, you can't live without it," said Chris Roeckl, Chief Product Officer at Appdome. "Combining real-time data with instant action is the only way to combat the huge diversity, sophistication and relentlessness hackers, attackers and fraudsters use to compromise mobile apps, brands, and users globally."

For more information about ThreatScope™ Mobile XDR visit: www.appdome.com 

**About Appdome**  

Appdome, the mobile app economy’s one-stop-shop for mobile app defense, is on a mission to protect every mobile app in the world and the people who use mobile apps in their lives and at work. Appdome provides the mobile industry’s only mobile application Cyber Defense Automation platform, powered by a patented artiﬁcial-intelligence based coding engine, Threat-Events™ Threat-Aware UX/UI Control and ThreatScope™ Mobile XDR. Using Appdome, mobile brands eliminate complexity, save money and deliver 300+ Certified Secure™ mobile app security, anti-malware, anti-fraud, MOBILEBot™ Defense, anti-cheat, MiTM attack prevention, code obfuscation and other protections in Android and iOS apps with ease, all inside the mobile DevOps and CI/CD pipeline. Leading ﬁnancial, healthcare, mobile games, government and m-commerce brands use Appdome to protect Android and iOS apps, mobile customers and mobile businesses globally. Appdome holds several patents including U.S. Patents 9,934,017 B2, 10,310,870 B2, 10,606,582 B2, 11,243,748 B2 and 11,294,663 B2. Additional patents pending.

Appdome Announces Attack Evaluation Tools in Digital Economy's Mobile XDR

Cryptocurrency apps were the most high risk for exposing sensitive information, a reverse-engineering study shows.

Encryption, authentication, and signing keys are often exposed in mobile fintech apps used across Africa, according to researchers at Approov, who found passwords, application programming interface (API) keys, and private keys for cryptography when the most commonly used apps were reverse-engineered.

**Risky Mobile Business**

Approov examined the top 10 apps based on revenue and downloads. The fintech apps included those offering loans, mobile banking, P2P money transfer, investment, and cryptocurrency services.

Trevor Henry Chiboora, research associate at CyLab-Africa, which conducted the study along with Approov, says some of the apps surveyed are used exclusively within Africa, and some are geolocked to regions within Africa. He also confirmed all the apps were downloaded from the Google Play Store.

The crypto apps were determined to be the worst when it comes to security, with 33.3% of them rated as high risk and 53.3% as medium risk.

The high-risk category is considered extremely dangerous if exposed, as they disclose private keys, keys for payment or transfer services, and "authentication" or "attestation" keys. Researchers said the exposure of these secrets could potentially lead to unauthorized access, data breaches, and compromised user privacy.

The medium-risk category secrets include sensitive data that, if exposed, could potentially compromise the confidentiality of user data and application functionality. Although not as critical as the high-severity secrets, the compromise of these secrets could still have significant repercussions.

Chiboora says there is neglect across the board when it comes to the levels of security in the apps, but crypto apps have a larger user base and geographical coverage than most other categories.

Research found 22.2% of personal finance apps were rated as high risk and 66.7% as medium risk. Payment and transfer apps were next worst, with 19.1% rated as high risk and 76.6% as medium risk. Of the total of 224 applications examined, only 5.4% revealed no details.

**The Secret Key Is Exposed**

To do the analysis, the researchers collected each app's ID and, using an automated script to download the Android Application Packages, the apps were reverse-engineered and scanned for risky items.

Cryptographic API keys, private keys, and passwords are used to authenticate the application and authorize access to protected resources or services, as well as to ensure the integrity and security of data exchanges between the application and a server.

Typically an API serves a dual purpose: It identifies the app to the backend API, and it validates the legitimacy of the requesting app, thereby establishing a clear link between the requesting entity and the API backend. This mechanism effectively prevents unauthorized or anonymous access attempts and provides a means to regulate the flow of data requests.

The researchers claimed that exposing API keys — especially those related to services like Google, AWS, and other cloud services — can result in unauthorized usage, which may incur unexpected costs or disrupt the functionality of integrated features.

"Keys are vital in the security and privacy of data as they authenticate and authorize access to services," Chiboora says, adding that most of the time these details are hidden from application users. "There are mobile cybersecurity methods that allow app developers to move these keys out of the app and into the cloud, which is a better approach and a recommendation for better security."

The researchers said this secret information is essential for verifying the identity of the application and protecting against unauthorized access, tampering, or data breaches. These secret keys are often present in the compiled source code of these applications and may also be inadvertently published to public repositories like GitHub.

Ted Miracco, CEO of Approov, said that as financial services become more digitized and accessible through mobile platforms across the world, the potential risks associated with the exposure of confidential information have escalated. "Developers can no longer depend on 'official' app stores or on native client OS security and must ensure that end-to-end security is built into the app itself," he said.

Pan-African Financial Apps Leak Encryption, Authentication Keys

Today at BlueHat we announced the new Microsoft AI bug bounty program with awards up to $15,000. This new bounty program features the AI-powered Bing experience as the first in scope product. The following products and integrations are eligible for bounty awards:
AI-powered Bing experiences on bing.com in Browser (All major vendors are supported, including Bing Chat, Bing Chat for Enterprise, and Bing Image Creator) AI-powered Bing integration in Microsoft Edge (Windows), including Bing Chat for Enterprise AI-powered Bing integration in the Microsoft Start Application (iOS and Android) AI-powered Bing integration in the Skype Mobile Application (iOS and Android) Full details can be found on our bounty program website.

Today at BlueHat we announced the new Microsoft AI bug bounty program with awards up to $15,000. This new bounty program features the AI-powered Bing experience as the first in scope product. The following products and integrations are eligible for bounty awards:

*   AI-powered Bing experiences on bing.com in Browser (All major vendors are supported, including Bing Chat, Bing Chat for Enterprise, and Bing Image Creator)  
*   AI-powered Bing integration in Microsoft Edge (Windows), including Bing Chat for Enterprise 
*   AI-powered Bing integration in the Microsoft Start Application (iOS and Android)   
*   AI-powered Bing integration in the Skype Mobile Application (iOS and Android)

Full details can be found on our bounty program website.

As shared in our bounty year in review blog post last month, we are constantly growing, iterating, and evolving our bounty programs to help Microsoft customers stay ahead of the curve in the ever-changing security landscape and emerging technologies. The new Microsoft AI bounty program comes as a result of key investments and learnings over the last few months, including an AI security research challenge and an update to Microsoft’s vulnerability severity classification for AI systems.

Thank you to all of the security researchers who accepted our invitation to join the security research challenge and to all who partner with us to find and fix vulnerabilities to protect Microsoft customers. Partnering with security researchers through our bug bounty programs is an essential part of Microsoft’s holistic strategy to protect customers from security threats. We value our partnership with the global security research community and are excited to expand our scope to include the AI-powered Bing experience.

Found a vulnerability in the AI-powered Bing experience? Share your findings by submitting a report through the MSRC Researcher Portal.

We are excited to learn and experiment with this new bounty program as our vulnerability management process for vulnerabilities in AI systems continues to get better. If you have any questions about this new program or any other security research incentive program, please email us at bounty@microsoft.com.

_Lynn Miyashita, MSRC_

Introducing the Microsoft AI Bug Bounty Program featuring the AI-powered Bing experience

In TBD of TBD, there is a possible way to bypass carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.



_Published October 4, 2023_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2023-10-05 or later address all issues in this bulletin and all issues in the October 2023 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2023-10-05 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the October 2023 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

    

CVE

References

Type

Severity

Subcomponent

CVE-2023-3781

A-289470723\*

EoP

High

kernel

**Pixel**

    

CVE

References

Type

Severity

Subcomponent

CVE-2023-35646

A-276972140 \*

RCE

Critical

Shannon baseband

CVE-2023-35662

A-276971805 \*

RCE

Critical

Shannon baseband

CVE-2023-35649

A-276971478 \*

RCE

High

Exynos Modem

CVE-2023-40141

A-274446016 \*

EoP

High

Kernel

CVE-2023-40142

A-279767668 \*

EoP

High

oobconfig

CVE-2023-35653

A-272281209 \*

ID

High

ImsService

CVE-2023-35645

A-283787360 \*

EoP

Moderate

Edgetpu

CVE-2023-35654

A-272492131 \*

EoP

Moderate

vl53l1 driver

CVE-2023-35655

A-264509020\*

EoP

Moderate

Darwinn

CVE-2023-35660

A-239873016

EoP

Moderate

LWIS

CVE-2023-35647

A-278109661\*

ID

Moderate

Exynos RIL

CVE-2023-35648

A-286373897\*

ID

Moderate

Exynos RIL

CVE-2023-35652

A-278108845\*

ID

Moderate

Exynos RIL

CVE-2023-35656

A-286537026\*

ID

Moderate

Exynos RIL

CVE-2023-35661

A-254938063\*

ID

Moderate

Modem

CVE-2023-35663

A-286718842\*

ID

Moderate

Exynos RIL

**Qualcomm components**

   

CVE

References

Severity

Subcomponent

CVE-2022-33220

A-261492822  
QC-CR#3244590 \*

Moderate

Display

CVE-2023-21654  

A-240605080  
QC-CR#3257860 \*

Moderate

Audio

CVE-2023-21655  

A-253296923  
QC-CR#3321695 \*

Moderate

Display

CVE-2023-21663  

A-253297595  
QC-CR#3322786 \*

Moderate

Display

CVE-2023-21667  

A-271904738  
QC-CR#3306293 \*

Moderate

Bluetooth

CVE-2023-28539  

A-276762572  
QC-CR#3346739 \*

Moderate

WLAN

CVE-2023-28571  

A-245789946  
QC-CR#3357461 \*

Moderate

WLAN

**Qualcomm closed-source components**

   

CVE

References

Severity

Subcomponent

CVE-2022-40524  

A-239699972\*

Moderate

Closed-source component

CVE-2023-21636  

A-242056976\*

Moderate

Closed-source component

CVE-2023-21644  

A-242060499\*

Moderate

Closed-source component

CVE-2023-22384  

A-276762471\*

Moderate

Closed-source component

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2023-10-05 or later address all issues associated with the 2023-10-05 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

October 4, 2023

CVE-2023-40142: Pixel Update Bulletin—October 2023

Clone vulnerability in the huks ta module.Successful exploitation of this vulnerability may affect service confidentiality.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the September 2023 Android security bulletin:

Critical: CVE-2023-35658, CVE-2023-35673

High: CVE-2023-35679, CVE-2023-35687, CVE-2023-35669, CVE-2023-35667, CVE-2023-35677, CVE-2023-35666, CVE-2023-35684, CVE-2023-28584

Medium: none

Low: none

Already included in previous updates: CVE-2023-21284, CVE-2020-29374, CVE-2023-21251, CVE-2023-20942, CVE-2023-21189

※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the CVE of other third-party library patches:

Critical: CVE-2023-4863

This security update includes the following HUAWEI patches:

CVE-2023-41295: Vulnerability of improper permission management in the displayengine module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause the screen to turn dim.

CVE-2023-41304: Parameter verification vulnerability in the window module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause the size of an app window to be adjusted to that of a floating window.

CVE-2023-44093: Vulnerability of package names' public keys not being verified in the security module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44094: Type confusion vulnerability in the distributed file module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2023-44095: Use-After-Free (UAF) vulnerability in the surfaceflinger module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability can cause system crash.

CVE-2023-44096: Vulnerability of brute-force attacks on the device authentication module

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44097: Vulnerability of the permission to access device SNs being improperly managed

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44100: Broadcast permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44102: Broadcast permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability can cause the Bluetooth function to be unavailable.

CVE-2023-44103: Out-of-bounds read vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44104: Broadcast permission control vulnerability in the Bluetooth module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44105: Vulnerability of permissions not being strictly verified in the window management module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-44106: API permission management vulnerability in the Fwk-Display module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-44108: Type confusion vulnerability in the distributed file module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2023-44109: Clone vulnerability in the huks ta module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44110: Out-of-bounds access vulnerability in the audio module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-44111: Vulnerability of brute-force attacks on the device authentication module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44114: Out-of-bounds array vulnerability in the dataipa module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CVE-2023-44116: Vulnerability of access permissions not being strictly verified in the APPWidget module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause some apps to run without being authorized.

CVE-2023-44118: Vulnerability of undefined permissions in the MeeTime module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.

CVE-2023-44119: Vulnerability of mutual exclusion management in the kernel module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will affect availability.

Tag

#android