In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06171729; Issue ID: ALPS06171729.

CVE-2022-20066: May 2022

In vow, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation. Patch ID: ALPS05852819; Issue ID: ALPS05852819.

**April 2022 Product Security Bulletin**

Published 2022-04-06

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform and OTT chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-20081, CVE-2021-25477

Medium

CVE-2022-20062, CVE-2022-20063, CVE-2022-20064, CVE-2022-20065, CVE-2022-20066, CVE-2022-20067, CVE-2022-20052, CVE-2022-20068, CVE-2022-20069, CVE-2022-20070, CVE-2022-20071, CVE-2022-20072, CVE-2022-20073, CVE-2022-20074, CVE-2022-20075, CVE-2022-20076, CVE-2022-20077, CVE-2022-20078, CVE-2022-20079, CVE-2022-20080

****Details****

CVE

**CVE-2022-20081**

Title

Insecure default initialization of resource in A-GPS

Severity

High

Vulnerability Type

ID

CWE

CWE-1188 Insecure Default Initialization of Resource

Description

In A-GPS, there is a possible man in the middle attack due to improper certificate validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8666, MT8667, MT8675

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2021-25477**

Title

Double free in Modem LTE RRC

Severity

High

Vulnerability Type

DoS

CWE

CWE-415 Double Free

Description

In Modem LTE RRC, there is a possible memory corruption due to a double free. This could lead to remote denial of service when decoding an incorrect ASN.1 data with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6735, MT6737, MT6739, MT6750S, MT6757, MT6757P, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6833, MT6853, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Modem LR9, LR11, LR12, LR12A, LR13, NR15

CVE

**CVE-2022-20062**

Title

Use after free in mdp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-416 Use After Free

Description

In mdp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6765, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6879, MT6885, MT6891, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20063**

Title

Out-of-bounds write in atf (spm)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In atf (spm), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6765, MT8385, MT8666, MT8667, MT8766, MT8786, MT8788

Affected Software Versions

Android 9.0, 10.0

CVE

**CVE-2022-20064**

Title

Out-of-bounds read in ccci

Severity

Medium

Vulnerability Type

ID

CWE

CWE-125 Out-of-bounds Read

Description

In ccci, there is a possible leak of kernel pointer due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6737, MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6789, MT6833, MT6853, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT6985, MT8321, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20065**

Title

Out-of-bounds read in ccci

Severity

Medium

Vulnerability Type

ID

CWE

CWE-125 Out-of-bounds Read

Description

In ccci, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6737, MT6739, MT6761, MT6762, MT6765, MT6768, MT6769, MT6779, MT6781, MT6785, MT6833, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6983, MT8321, MT8667, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20066**

Title

Improper handling of exceptional conditions in atf (hwfde)

Severity

Medium

Vulnerability Type

ID

CWE

CWE-755 Improper Handling of Exceptional Conditions

Description

In atf (hwfde), there is a possible leak of sensitive information due to incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT8168, MT8365, MT8696

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20067**

Title

Improper input validation in mdp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mdp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6731, MT6735, MT6739, MT6750, MT6755, MT6755S, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6885, MT6891, MT6893, MT8167, MT8167S, MT8168, MT8173, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

CVE

**CVE-2022-20052**

Title

Use after free in mdp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-416 Use After Free

Description

In mdp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6750, MT6753, MT6755, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6890, MT6891, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20068**

Title

Unix symbolic link (symlink) following in mobile\_log\_d

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-61 UNIX Symbolic Link (Symlink) Following

Description

In mobile\_log\_d, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6795, MT6799, MT6833, MT6853T, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6985, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8735A, MT8735B, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20069**

Title

Integer overflow or wraparound in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In preloader (usb), there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6885, MT6893, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8695, MT8696, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20070**

Title

Improper input validation in ssmr

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In ssmr, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6731, MT6732, MT6735, MT6737, MT6739, MT6750, MT6750S, MT6752, MT6753, MT6755, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6758, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT6985

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20071**

Title

Improperly implemented security check for standard in ccu

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-358 Improperly Implemented Security Check for Standard

Description

In ccu, there is a possible escalation of privilege due to a missing certificate validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6885, MT6893, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20072**

Title

Incorrect comparison in search engine service

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-697 Incorrect Comparison

Description

In search engine service, there is a possible way to change the default search engine due to an incorrect comparison. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6755, MT6755S, MT6761, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6795, MT6797, MT6799, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT6985, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20073**

Title

Integer underflow (wrap or wraparound) in preloader (usb)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-191 Integer Underflow (Wrap or Wraparound)

Description

In preloader (usb), there is a possible out of bounds write due to a integer underflow. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT2601, MT6580, MT6735, MT6739, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6799, MT6833, MT6873, MT6877, MT6885, MT6893, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8183, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8666, MT8667, MT8675, MT8695, MT8696, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20074**

Title

Out-of-bounds read in preloader (partition)

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-125 Out-of-bounds Read

Description

In preloader (partition), there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, for an attacker who has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Chipsets

MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6779, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8667, MT8675, MT8695, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20075**

Title

Integer overflow or wraparound in ged

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-190 Integer Overflow or Wraparound

Description

In ged, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6750S, MT6753, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8127, MT8135, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8176, MT8183, MT8312C, MT8312D, MT8321, MT8362A, MT8365, MT8382, MT8385, MT8389, MT8392, MT8392\_90, MT8665, MT8685, MT8693, MT8735, MT8735B, MT8735M, MT8752, MT8765, MT8783, MT8785, MT8788

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20076**

Title

Improper handling of exceptional conditions in ged

Severity

Medium

Vulnerability Type

ID

CWE

CWE-755 Improper Handling of Exceptional Conditions

Description

In ged, there is a possible memory corruption due to an incorrect error handling. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6731, MT6735, MT6750S, MT6753, MT6755S, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8127, MT8135, MT8163, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8176, MT8183, MT8312C, MT8312D, MT8321, MT8362A, MT8365, MT8382, MT8385, MT8389, MT8392, MT8392\_90, MT8665, MT8685, MT8693, MT8735, MT8735B, MT8735M, MT8752, MT8765, MT8783, MT8785, MT8788

Affected Software Versions

Android 10.0, 11.0, 12.0

CVE

**CVE-2022-20077**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In vow, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8185, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2022-20078**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in vow

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In vow, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-20079**

Title

Improper input validation in vow

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In vow, there is a possible read of uninitialized data due to a improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6781, MT6785, MT6833, MT6853, MT6853T, MT6873, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8185, MT8789, MT8791, MT8797

Affected Software Versions

Android 10.0, 11.0

CVE

**CVE-2022-20080**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in SUB2AF

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In SUB2AF, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is no needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6737, MT6739, MT6753, MT6757, MT6761, MT6763, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6883, MT6885, MT6889, MT6893, MT8168, MT8321, MT8365, MT8666, MT8765, MT8766, MT8768, MT8786, MT8788, MT8791, MT8797

Affected Software Versions

Android 9.0, 10.0, 11.0, 12.0

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

April 6, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-20078: April 2022

ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.

![Open-source secure file sync, share and content collaboration with ownCloud](https://owncloud.com/wp-content/uploads/2020/06/oc-logo-1c-1.svg "Open-source secure file sync, share and content collaboration with ownCloud")

*   Product
*   Community
*   Partners
*   News
    **news***   Insights & Updates
        *   ownCloud News
    *   Forum
        *   ownCloud Central
    *   Events
        *   Upcoming Events
    *   Social Media
        *   Facebook
        *   Twitter
        *   LinkedIn
    
    **Latest Posts**
    
    ![](https://owncloud.com/wp-content/uploads/2022/03/john-schnobrich-FlPc9_VocJ4-unsplash.jpg)
    
    For the past years we have been working on a new project called "Infinite Scale". For this …
    
    Read more
    
    ![](https://owncloud.com/wp-content/uploads/2020/08/ownCloud-Trademark.png)
    
    Manuela Urban (COO, Sovereign Cloud Stack) explains how Sovereign Cloud Stack, federated cloud technology built with Open …
    
    Read more
    
*   Pricing

*   Risk: low
*   CVSS v3 Base Score: 2.8
*   CVSS v3 Vector: AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
*   CWE ID: CWE-284
*   CWE Name: CWE-284: Improper Access Control
*   CVE: CVE-2022-25339

**Description**

An attacker wich local access to a device with the ownCloud Android app could access internal files of the app.

**Affected**

*   ownCloud Android app < 2.20

**Action taken**

Fix the access control

CVE-2022-25339: Access to internal files through ownCloud Android App - ownCloud

ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.

![Open-source secure file sync, share and content collaboration with ownCloud](https://owncloud.com/wp-content/uploads/2020/06/oc-logo-1c-1.svg "Open-source secure file sync, share and content collaboration with ownCloud")

*   Product
*   Community
*   Partners
*   News
    **news***   Insights & Updates
        *   ownCloud News
    *   Forum
        *   ownCloud Central
    *   Events
        *   Upcoming Events
    *   Social Media
        *   Facebook
        *   Twitter
        *   LinkedIn
    
    **Latest Posts**
    
    ![](https://owncloud.com/wp-content/uploads/2022/03/john-schnobrich-FlPc9_VocJ4-unsplash.jpg)
    
    For the past years we have been working on a new project called "Infinite Scale". For this …
    
    Read more
    
    ![](https://owncloud.com/wp-content/uploads/2020/08/ownCloud-Trademark.png)
    
    Manuela Urban (COO, Sovereign Cloud Stack) explains how Sovereign Cloud Stack, federated cloud technology built with Open …
    
    Read more
    
*   Pricing

*   Risk: low
*   CVSS v3 Base Score: 5.3
*   CVSS v3 Vector: AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
*   CWE ID: CWE-284
*   CWE Name: CWE-284: Improper Access Control
*   CVE: CVE-2022-25338

**Description**

An attacker with physical access to the device could bypass the app lock of the ownCloud Android App.

**Affected**

*   ownCloud Android app < 2.20

**Action taken**

Properly implement the lock screen

CVE-2022-25338: ownCloud Android App lock bypass - ownCloud

Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 98.0.4758.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2022-0455: 1270593 - chromium - An open-source project to help move the web forward.

CVE-2022-28378: cms/CHANGELOG.md at develop · craftcms/cms

An Out of Bounds read may potentially occur while processing an IBSS beacon, in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music

CVE-2021-35117: March 2022 Security Bulletin | Qualcomm

In miniadb, there is a possible way to get read/write access to recovery system properties due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-201308542

_Published February 22, 2022_

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 12L. Android 12L devices with a security patch level of 2022-03-01 or later are protected against these issues (Android 12L, as released on AOSP, will have a default security patch level of 2022-03-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 12L release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Announcements**

*   The issues described in this document are addressed as part of Android 12L. This information is provided for reference and transparency.
*   We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**Android 12L vulnerability details**

The sections below provide details for security vulnerabilities fixed as part of Android 12L. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

**Framework**

   

CVE

References

Type

Severity

CVE-2021-39749

A-205996115

EoP

High

CVE-2021-39743

A-201534884

EoP

Moderate

CVE-2021-39746

A-194696395

EoP

Moderate

CVE-2021-39750

A-206474016

EoP

Moderate

CVE-2021-39752

A-202756848

EoP

Moderate

CVE-2021-39758

A-205130886

EoP

Moderate

CVE-2022-20002

A-198657657

EoP

Moderate

CVE-2021-39744

A-192369136

ID

Moderate

CVE-2021-39745

A-206127671

ID

Moderate

CVE-2021-39747

A-208268457

ID

Moderate

CVE-2021-39748

A-203777141

ID

Moderate

CVE-2021-39751

A-172838801

ID

Moderate

CVE-2021-39753

A-200035185

ID

Moderate

CVE-2021-39755

A-204995407

ID

Moderate

CVE-2021-39756

A-184354287

ID

Moderate

CVE-2021-39757

A-176094662

ID

Moderate

CVE-2021-39754

A-207133709

ID

Moderate

**Media Framework**

   

CVE

References

Type

Severity

CVE-2021-39759

A-180200830

EoP

Moderate

CVE-2021-39760

A-194110526

ID

Moderate

CVE-2021-39761

A-179783181

ID

Moderate

CVE-2021-39762

A-210625816

ID

Moderate

**Platform**

   

CVE

References

Type

Severity

CVE-2021-39741

A-173567719

EoP

Moderate

CVE-2021-39763

A-199176115

EoP

Moderate

CVE-2021-39764

A-170642995

EoP

Moderate

CVE-2021-39767

A-201308542

EoP

Moderate

CVE-2021-39768

A-202017876

EoP

Moderate

CVE-2021-39771

A-198661951

EoP

Moderate

CVE-2021-25393

A-180518134

ID

Moderate

CVE-2021-39739

A-184525194

ID

Moderate

CVE-2021-39740

A-209965112

ID

Moderate

CVE-2021-39742

A-186405602

ID

Moderate

CVE-2021-39765

A-201535427

ID

Moderate

CVE-2021-39766

A-198296421

ID

Moderate

CVE-2021-39769

A-193663287

ID

Moderate

CVE-2021-39770

A-193033501

ID

Moderate

**System**

   

CVE

References

Type

Severity

CVE-2021-39776

A-192614125

EoP

High

CVE-2021-39787

A-202506934

EoP

High

CVE-2021-39772

A-181962322

EoP

Moderate

CVE-2021-39780

A-204992293

EoP

Moderate

CVE-2021-39781

A-195311502

EoP

Moderate

CVE-2021-39782

A-202760015

EoP

Moderate

CVE-2021-39783

A-197960597

EoP

Moderate

CVE-2021-39784

A-200163477

EoP

Moderate

CVE-2021-39786

A-192551247

EoP

Moderate

CVE-2021-39789

A-203880906

EoP

Moderate

CVE-2021-39790

A-186405146

EoP

Moderate

CVE-2021-39773

A-191276656

ID

Moderate

CVE-2021-39775

A-206465854

ID

Moderate

CVE-2021-39777

A-194743207

ID

Moderate

CVE-2021-39778

A-196406138

ID

Moderate

CVE-2021-39779

A-190400974

ID

Moderate

CVE-2021-39788

A-191768014

ID

Moderate

CVE-2021-39791

A-194112606

ID

Moderate

CVE-2021-39774

A-205989472

DoS

Moderate

**Additional Vulnerability details**

The section below provides details for security vulnerabilities that are being provided for disclosure purposes. **These issues are not required for SPL compliance.**

**Android TV**

   

CVE

References

Type

Severity

CVE-2021-1000

A-185190688

EoP

Moderate

CVE-2021-1033

A-185247656

EoP

Moderate

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

Android 12L, as released on AOSP, has a default security patch level of 2022-03-01. Android devices running Android 12L and with a security patch level of 2022-03-01 or later address all issues contained in these security release notes.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**Versions**

  

Version

Date

Notes

1.0

February 22, 2022

Security Release Notes Published

CVE-2021-39767: Android 12L Security Release Notes  |  Android Open Source Project

In incfs, there is a possible way of mounting on arbitrary paths due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-198657657

CVE-2022-20002: Android 12L Security Release Notes  |  Android Open Source Project

Yubico ykneo-openpgp before 1.0.10 has a typo in which an invalid PIN can be used. When first powered up, a signature will be issued even though the PIN has not been validated.

*   Github

Tracking IDs: YSA-2015-1 and CVE-2015-3298.

**Summary**

The source code contains a logical flaw related to user PIN (aka PW1) verification that allows an attacker with local host privileges and/or physical proximity (NFC) to perform security operations without knowledge of the user’s PIN code.

**Mitigation**

The flaw is mitigated by the fact that an attacker would typically require some abilities that would enable the attack even without the logical flaw.

In particular, any attacker with access to the local host must be assumed to be able to learn the user’s PIN code, simply by intercepting communication with the OpenPGP card hardware or through key logging.

Alternatively, if the attacker has physical proximity to the card, it could wait for the device to be used normally over NFC and then learn the PIN code wirelessly and perform the attack at a later point.

If your device is stolen, attackers may use it to perform private-key operations. If an attacker has gone through the trouble of obtaining physical access to a key, the conservative approach is to regard it is possible that the attacker were able to learn the PIN earlier since the PIN is often unprotected. In situations like this, you should treat the key as potentially compromised and revoke the key.

Generally the OpenPGP Card specification does not protect against private key-usage by malware and/or PIN phishing, and any OpenPGP Card implementation is vulnerable to similar attacks.

Note that the private key is not at jeopardy, and malware cannot learn the private key — this is in fact the primary threat that the OpenPGP card specification protects against.

**Analysis**

The following description is courtesy of Joey Castillo.

The bug appears to be a typo in the first line of the computeDigitalSignature, decipher and internalAuthenticate methods. The goal of each is to establish that the PW1 has been validated, AND the proper mode has been set (mode 81 for signing, mode 82 for everything else). According to the spec, if either of these conditions are not satisfied, the security operation should not proceed.

The application mangles this a bit, as you can see in line 628:

if (!pw1.isValidated() && pw1\_modes\[PW1\_MODE\_NO81\])
    ISOException.throwIt(SW\_SECURITY\_STATUS\_NOT\_SATISFIED);
// otherwise execution continues

This truth table shows the outcome of the conditional, and the two cases where the logic fails:

     

Case

PIN valid

Mode 81

!(PIN valid)

Result

Outcome

1

true

true

false

false

No exception

2

false

true

true

true

Exception thrown

3

true

false

false

false

No exception (Incorrect)

4

false

false

true

false

No exception (Incorrect)

I discovered this bug due to case #3: OpenKeychain for Android mistakenly verifies the PIN with mode 82 for signing, which should not allow a signature to be generated. The Yubikey generates a signature anyway.

The dire case is #4: when the card is powered up, the PIN has not been validated, and both modes are set to false. In this state, the card will issue a signature even though the PIN has not been validated. The same bug is present in the decipher command (line 659) and the internalAuthenticate command (line 683), just with the mode set to 82. This means the card will also decrypt session keys and authenticate challenges unconditionally.

**Solution**

This is also courtesy of Joey Castillo.

The fix is to change each of the conditionals to the following:

if (!pw1.isValidated() || !pw1\_modes\[PW1\_MODE\_NO8x\])
    ISOException.throwIt(SW\_SECURITY\_STATUS\_NOT\_SATISFIED);
// otherwise execution continues

This way, if the PIN has not been validated, OR the proper mode has not been set, an exception is thrown. Execution is only allowed to continue if both conditions are true.

This fix has been integrated into ykneo-openpgp and is part of the version 1.0.9 release, but read on for some information about 1.0.10.

**How to check if you are affected**

Versions below 1.0.9 are affected by this problem. Unfortunately, some YubiKey NEOs shipped with a 1.0.9 release that did not contain the fix. To simplify version checking, we have released 1.0.10 and NEOs using that version is known to always include the fix. To be certain that your NEO has the fixed ykneo-openpgp applet installed, look for a version of 1.0.10 or later.

You may check the applet version with the following command.

 gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
 D\[0000\]  01 00 06 90 00                                     .....
 OK

The string "01 00 06" means version 1.0.6, which would be affected by this problem.

**Recommendation**

The logical flaw is real and violates assumption of how the OpenPGP applet works in principle. However its practical consequences are relatively small as a successful attack requires other privileged operations (such as local root access) that are normally not available to an attacker, and would have undermined the security anyway.

Regardless of this assessment, Yubico has decided to replace YubiKey NEO keys for those who are using the OpenPGP applet version 1.0.9 or earlier. This replacement program began on April 26, 2015. **Update: This replacement program ended on April 18, 2019.**

Therefore, we don't see any immediate need for users to upgrade existing deployed products. We will incorporate the improved code in future products sold, and add self-tests to our software project to detect any regression in this area.

For stolen devices, we continue to recommend users to follow best-practices and revoke the key as a conservative measure.

As we take all security related incidents seriously we have prepared a prompt security advisory and released all information about this incident that we know about. We welcome further analysis of the source code, as this will over time increase confidence in the product, and is the reason the source is available.

If you have additional inquiries related to your YubiKey NEO purchase, please contact your sales contact for further discussion.

This defect was present in the code we inherited from the “javacardopenpgp” project, and that project has been notified. There may be other forks, public or not, and we recommend the community to review other code with the same origin.

**History of events**

*   2015-04-11 Reported by Joey Castillo.
    
*   2015-04-11 Version 1 of security advisory circulated for review.
    
*   2015-04-13 Mitre assigned id for vulnerability as CVE-2015-3298.
    
*   2015-04-13 Upstream project “javacardopenpgp” notified.
    
*   2015-04-14 Security advisory published.
    
*   2015-04-20 Some 1.0.9 NEOs were shipped without the fix, text updated to recommend looking for 1.0.10 as a better minimum version.
    
*   2015-04-27 Add an update about Yubico replacement policy.
    
*   2019-04-18 Remove the update about Yubico replacement policy.
    
*   2019-05-02 Clarify previous update, adding date of policy expiration.

Tag

#android