Plus: Discord has a child predator problem, fears rise of China spying from Cuba, and hackers try to blackmail Reddit.

Apple says the patches fix a memory corruption that allowed an app to execute arbitrary code and a WebKit vulnerability that enabled malicious code execution through web content. The attacks have been seen only on devices running versions of iOS released before iOS 15.7, according to the company. Even if you’re an unlikely target for spyware, now’s a good time to update your iPhone.

This week, an alarming investigation by NBC News found that Discord, a social media popular with gamers, has become a popular venue for child sexual exploitation. NBC News identified 35 cases over the past six years in which adults have faced charges of kidnapping, grooming, or sexual assault that were allegedly facilitated by Discord. Nearly half of these cases resulted in guilty pleas or verdicts, while many others are still under investigation.

NBC News’ review of cases is likely a vast undercount, the report says, as these numbers represent only reported cases where charges were brought. Victims generally face significant challenges when it comes to reporting, investigations, and prosecution. Stephen Sauer, the director of the tip line at the Canadian Centre for Child Protection, told NBC News, “What we see is only the tip of the iceberg.”

According to experts interviewed by NBC News, while online child exploitation is not exclusive to Discord, the platform's decentralized moderation system and its young user base have likely made it an appealing environment for those seeking to exploit children.

The investigation comes as a _Washington Post_ report found that thousands of AI-generated child sexual abuse images have been found on forums across the dark web.

According to _The Wall Street Journal_, US officials have been monitoring the activities of employees working for Chinese telecom companies Huawei Technologies and ZTE at suspected spy facilities in Cuba. The news comes amid a push to restrict the use of Huawei and ZTE mobile infrastructure across the West.

Earlier this month, the _Journal_ reported that China has been operating a spy base in Cuba since at least 2019 and that the two countries jointly maintain four additional eavesdropping stations on the island. Officials from the Biden administration caution that these facilities could potentially intercept electronic signals from US military bases.

According to representative Mike Gallagher, the chairman of the US House Select Committee on the Chinese Communist Party, Huawei and ZTE have had regular business presence in Cuba while working to modernize the island’s internet infrastructure. In a letter Gallagher sent to director of national intelligence Avril Haines, which the _Journal_ viewed, Gallagher wrote that any enhancement of China’s intelligence capabilities in Cuba “is likely” to be aided by Chinese telecommunications companies.

In a statement, Huawei described the report as "groundless accusations" and emphasized its commitment to full compliance with applicable laws and regulations in the regions they operate. Similarly, ZTE dismissed the _Journal_'s reporting as "baseless."

The recent Reddit protest over changes to its business that threaten third-party apps was messy enough without hackers getting involved. The ransomware gang BlackCat is threatening to release some 80 GB of data that the company says was stolen earlier this year through a “highly targeted” phishing attack.

Reddit says it doesn’t believe the hackers stole user data like passwords, but BlackCat says the files contain “confidential” information. The group is demanding Reddit pay $4.5 million and cancel its plans to charge app developers exorbitant fees for access to its application programming interface, or API. Otherwise the group says, it will release the data ahead of the company’s planned IPO.

Update Your iPhone Right Now to Fix 2 Apple Zero Days

Vulnerability of spoofing trustlists of Huawei desktop.Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the May 2023 Android security bulletin:

Critical: none

High: CVE-2023-21109, CVE-2023-20914, CVE-2023-21103, CVE-2023-21111, CVE-2023-21118, CVE-2023-21665, CVE-2023-21666, CVE-2022-46891, CVE-2021-0877

Medium: CVE-2023-21116

Low: none

Already included in previous updates: CVE-2023-21085, CVE-2023-20909, CVE-2023-20967, CVE-2023-21080, CVE-2023-21081, CVE-2023-21082, CVE-2023-21083, CVE-2023-21089, CVE-2023-21092, CVE-2023-21094, CVE-2023-21097, CVE-2023-21098, CVE-2023-21099, CVE-2023-20950

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2022-48486: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48487: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48488: Vulnerability of bypassing the default desktop security controls

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause unauthorized modifications to the desktop.

CVE-2022-48489: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48490: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48491: Vulnerability of missing authentication on certain HUAWEI phones

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can lead to ads and other windows to display at any time.

CVE-2022-48492: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48493: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48494: Vulnerability of lax app identity verification in the pre-authorization function

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.

CVE-2022-48495: Vulnerability of unauthorized access to foreground app information

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause foreground app information to be obtained.

CVE-2022-48496: Vulnerability of lax app identity verification in the pre-authorization function

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized.

CVE-2022-48497: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48498: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48499: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48500: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2022-48501: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect availability.

CVE-2023-34155: Vulnerability of unauthorized calling on HUAWEI phones and tablets

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may affect availability.

CVE-2023-34156: Vulnerability of services denied by early fingerprint APIs on HarmonyOS products

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause services to be denied.

CVE-2023-34158: Vulnerability of public APIs and methods in WindowManageServices being called by malicious third-party apps

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause unauthorized access by third-party apps.

CVE-2023-34159: Improper permission control vulnerability in the Notepad app

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of the vulnerability may lead to privilege escalation, which affects availability and confidentiality.

CVE-2023-34160: Vulnerability of public APIs and methods in WindowManageServices being called by malicious third-party apps

Severity: High

Affected versions: EMUI 13.0.0, EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause unauthorized access by third-party apps.

CVE-2023-34161: Inappropriate authorization vulnerability in the SettingsProvider module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-34162: Version update determination vulnerability in the user profile module

Severity: Medium

Affected versions: EMUI 13.0.0

Impact: Successful exploitation of this vulnerability may cause repeated HMS Core updates and cause services to fail.

CVE-2023-34163: Permission control vulnerability in the window management module

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

CVE-2023-34164: Improper permission verification vulnerability in the SDK on which the MediaPlaybackController module depends

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1

Impact: Successful exploitation of this vulnerability may affect confidentiality.

CVE-2023-34166: Vulnerability of system restart triggered by abnormal callbacks passed to APIs

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability may cause the system to restart.

CVE-2023-34167: Vulnerability of spoofing trustlists of HUAWEI desktop

Severity: Medium

Affected versions: EMUI 13.0.0, EMUI 12.0.1, EMUI 12.0.0, EMUI 11.0.1

Impact: Successful exploitation of this vulnerability can cause third-party apps to hide app icons on the desktop to prevent them from being uninstalled.

CVE-2023-34167: June

A Huawei sound box product has an out-of-bounds write vulnerability. Attackers can exploit this vulnerability to cause buffer overflow. Affected product versions include:FLMG-10 versions FLMG-10 10.0.1.0(H100SP22C00).

A Huawei sound box product has an out-of-bounds write vulnerability. Attackers can exploit this vulnerability to cause buffer overflow. (Vulnerability ID:HWPSIRT-2022-61463)

This vulnerability has been assigned a (CVE) ID: CVE-2022-48330

  

Affected Product(R&D)

Affected Version

Repair Version

FLMG-10

FLMG-10 10.0.1.0(H100SP22C00)

FLMG-10 3.0.0.40(H100SP19C00)

HWPSIRT-2022-61463:  
Successful exploitation could lead to a buffer overflow.

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.  
HWPSIRT-2022-61463  
Base Score: 7.5  
Temporary Score: 7.0  
Environmental Score: NA  
CVSS v3.1 Vector: AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H/E:F/RL:O/RC:C

HWPSIRT-2022-61463:  
This vulnerability can be exploited only when the following conditions are present:  
The attacker and the target device are in the adjacent network domain and can access the target device.  
Technical details:

An out-of-bounds write vulnerability exists in a Huawei sound box product. This vulnerability is caused because the Bluetooth module does not fully verify external packets. An attacker can send packets in a specific format to the device to trigger the vulnerability and cause buffer overflow.An attacker can trigger a vulnerability by sending packets in a specific format to the device to cause buffer overflow.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-61463:  
Vulnerability information is provided by Yan Han, Qu Lewei, and Ke Dongxiang of Baidu AIoT Security Team. Thanks for their attention to Huawei product security.

2023-03-01 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48330: Security Advisory - Out-of-Bounds Write Vulnerability in a Huawei Sound Box Product

A Huawei printer has a system command injection vulnerability. Successful exploitation could lead to remote code execution. Affected product versions include:BiSheng-WNM versions OTA-BiSheng-FW-2.0.0.211-beta,BiSheng-WNM FW 3.0.0.325,BiSheng-WNM FW 2.0.0.211.

**Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product**

*   SA No:huawei-sa-SCIViaHPP-6bcddec5
*   Initial Release Date: 2023-04-26
*   Last Release Date: 2023-04-26

  

A Huawei printer has a system command injection vulnerability. Successful exploitation could lead to remote code execution.(Vulnerability ID:HWPSIRT-2022-90270)

This vulnerability has been assigned a (CVE)ID:CVE-2022-48472

  

Affected Product

Affected Version

Repair Versions

BiSheng-WNM

OTA-BiSheng-FW-2.0.0.211-beta

OTA-BiSheng-FW-3.0.0.327

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

BiSheng-WNM FW 2.0.0.211

BiSheng-WNM FW 3.0.0.327

  

HWPSIRT-2022-90270:

Successful exploitation could lead to remote code execution.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: https://www.first.org/cvss/specification-document.

HWPSIRT-2022-90270

Base Score: 9.8

Temporal Score: 9.1

Environmental Score: NA

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

  

HWPSIRT-2022-90270:

This vulnerability can be exploited only when the following conditions are present:

An attacker can access devices through the network.

Technical details:

A Huawei printer product has a system command injection vulnerability. This vulnerability is caused by improper filtering of special characters in external input. Unauthorized attackers can exploit this vulnerability by constructing malicious external input. Successful exploitation could lead to remote code execution.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-90270:

This vulnerability was discovered by Huawei internal tester.

  

2023-04-26 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48472: huawei-sa-SCIViaHPP-6bcddec5-en

There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers. 

**Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers**

*   SA No:huawei-sa-THViHR-7015cbae
*   Initial Release Date: 2023-05-17
*   Last Release Date: 2023-05-17

  

There is a traffic hijacking vulnerability in Huawei routers. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.(Vulnerability ID:HWPSIRT-2022-82592)

This vulnerability has been assigned a (CVE)ID:CVE-2022-48469

  

Affected Product

Affected Version

Repair Versions

B535-232a

B535-232a 2.0.0.1(H318SP5C983)

B535-232a 2.0.0.1(H318SP6C983)

  

HWPSIRT-2022-82592:

Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-82592

Base Score: 7.6

Temporal Score: 7.1

Environmental Score: NA

CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L/E:F/RL:O/RC:C

  

HWPSIRT-2022-82592:

This vulnerability can be exploited only when the following conditions are present:

An attacker can access the device remotely.

Technical details:

Huawei routers have a traffic hijacking vulnerability due to improper domain name resolution. An attacker who can access the victim device can construct a malicious domain name to exploit this vulnerability. Successful exploitation of this vulnerability can cause packets to be hijacked by attackers.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.

HWPSIRT-2022-82592:

The vulnerability was discovered by an external researcher.

  

2023-05-17 V1.0 Initial Release;

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48469: huawei-sa-THViHR-7015cbae-en

There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal.

There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal. (Vulnerability ID:HWPSIRT-2022-47904)

This vulnerability has been assigned a (CVE) ID: CVE-2022-48471

Affected Product

Affected Version

Repair Versions

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

Successful exploitation of this vulnerability may cause the printer service to be abnormal.  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: https://www.first.org/cvss/specification-document.

HWPSIRT-2022-47904

Base Score: 7.5

Temporal Score: 7.0

Environmental Score: NA

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C

  

HWPSIRT-2022-47904:

This vulnerability can be exploited only when the following conditions are present:

An attacker can send a specially crafted packet to the affected device.

Technical details:

The packet parsing module of a port on a Huawei printer has a misinterpretation of input vulnerability. The vulnerability is caused by insufficient verification of external input packets. Attackers can exploit this vulnerability by constructing malicious packets. Successful exploitation could lead to printer device service exceptions, etc.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-47904:

This vulnerability was discovered by Huawei internal tester.

  

2023-04-26 V1.0 Initial Release

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48471: huawei-sa-MoIViHP-73cabdde-en

CVE-2022-48473

Product: AndroidVersions: Android SoCAndroid ID: A-277775870

_Published June 5, 2023 | Updated June 7, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-06-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-06-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-06-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21127

A-275418191

RCE

Critical

11, 12, 12L, 13

CVE-2023-21126

A-271846393 \[2\] \[3\]

EoP

High

13

CVE-2023-21128

A-272042183

EoP

High

11, 12, 12L, 13

CVE-2023-21129

A-274759612 \[2\]

EoP

High

11, 12, 12L, 13

CVE-2023-21131

A-265015796

EoP

High

11, 12, 12L, 13

CVE-2023-21139

A-271845008 \[2\] \[3\]

EoP

High

13

CVE-2023-21105

A-261036568

ID

High

11, 12, 12L, 13

CVE-2023-21136

A-246542285

DoS

High

11, 12, 12L, 13

CVE-2023-21137

A-246541702

DoS

High

11, 12, 12L, 13

CVE-2023-21143

A-268193777

DoS

High

11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21108

A-239414876

RCE

Critical

11, 12, 12L, 13

CVE-2023-21130

A-273502002

RCE

Critical

13

CVE-2023-21115

A-258834033

EoP

High

11, 12, 12L

CVE-2023-21121

A-205460459

EoP

High

11, 12

CVE-2023-21122

A-270050191

EoP

High

11, 12, 12L, 13

CVE-2023-21123

A-270050064

EoP

High

11, 12, 12L, 13

CVE-2023-21124

A-265798353 \[2\] \[3\] \[4\]

EoP

High

11, 12, 12L, 13

CVE-2023-21135

A-260570119 \[2\]

EoP

High

11, 12, 12L, 13

CVE-2023-21138

A-273260090

EoP

High

11, 12, 12L, 13

CVE-2023-21095

A-242704576

ID

High

12L, 13

CVE-2023-21141

A-262244249

ID

High

11, 12, 12L, 13

CVE-2023-21142

A-262243665

ID

High

11, 12, 12L, 13

CVE-2023-21144

A-252766417

DoS

High

11, 12, 12L, 13

**2023-06-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-06-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Arm components**

These vulnerabilities affect Arm components and further details are available directly from Arm. The severity assessment of these issues is provided directly by Arm.

    

CVE

References

Severity

Subcomponent

CVE-2022-22706  

A-225040268 \*

High

Mali

CVE-2022-28349  

A-278616909 \*

High

Mali

CVE-2022-46781  

A-267242697 \*

High

Mali

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

    

CVE

References

Severity

Subcomponent

CVE-2021-0701  

A-277775870 \*

High

PowerVR-GPU

CVE-2021-0945  

A-278156680 \*

High

PowerVR-GPU

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-48390  

A-278796976  
U-2055602 \*

High

Android

CVE-2022-48392  

A-278775990  
U-2193456 \*  
U-2056224 \*

High

Android

CVE-2022-48438  

A-278801630  
U-2179935 \*

High

Kernel/Android

CVE-2022-48391  

A-278775987  
U-2055602 \*

High

Android

**Widevine DRM**

These vulnerabilities affect Widevine DRM components and further details are available directly from Widevine DRM. The severity assessment of these issues is provided directly by Widevine DRM.

    

CVE

References

Severity

Subcomponent

CVE-2023-21101  

A-258189255 \*

High

widevine

CVE-2023-21120  

A-258188673 \*

High

Hardware DRM

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33292  

A-250627197  
QC-CR#3152855

High

Kernel

CVE-2023-21656  

A-271879673  
QC-CR#3346781

High

WLAN

CVE-2023-21657  

A-271880369  
QC-CR#3344305

High

Audio

CVE-2023-21669  

A-271892276  
QC-CR#3346764

High

WLAN

CVE-2023-21670  

A-276750663  
QC-CR#3425942 \[2\] \[3\]

High

Display

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33257  

A-245402340 \*

Critical

Closed-source component

CVE-2022-40529  

A-261470065 \*

Critical

Closed-source component

CVE-2022-22060  

A-261470067 \*

High

Closed-source component

CVE-2022-33251  

A-245403689 \*

High

Closed-source component

CVE-2022-33264  

A-245611823 \*

High

Closed-source component

CVE-2022-40516  

A-261468731 \*

High

Closed-source component

CVE-2022-40517  

A-261470729 \*

High

Closed-source component

CVE-2022-40520  

A-261468681 \*

High

Closed-source component

CVE-2022-40521  

A-261471027 \*

High

Closed-source component

CVE-2022-40523  

A-261468047 \*

High

Closed-source component

CVE-2022-40533  

A-261470447 \*

High

Closed-source component

CVE-2022-40536  

A-261468732 \*

High

Closed-source component

CVE-2022-40538  

A-261468697 \*

High

Closed-source component

CVE-2023-21628  

A-268059669 \*

High

Closed-source component

CVE-2023-21658  

A-271879161 \*

High

Closed-source component

CVE-2023-21659  

A-271879660 \*

High

Closed-source component

CVE-2023-21661  

A-271880271 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-06-01 or later address all issues associated with the 2023-06-01 security patch level.
*   Security patch levels of 2023-06-05 or later address all issues associated with the 2023-06-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-06-01\]
*   \[ro.build.version.security\_patch\]:\[2023-06-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-06-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-06-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-06-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

June 5, 2023

Bulletin Published

1.1

June 7, 2023

Bulletin revised to include AOSP links

CVE-2021-0701: Android Security Bulletin—June 2023

The US government warns encryption chipmaker Hualan has suspicious ties to China’s military. Yet US agencies still use one of its subsidiary’s chips, raising fears of a backdoor.

From TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans—and the US government—increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips **sold by the subsidiary of** a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West.

In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called “Entity List,” a vaguely named trade restrictions list that highlights companies “acting contrary to the foreign policy interests of the United States.” Specifically, the bureau noted that Hualan had been added to the list for “acquiring and ... attempting to acquire US-origin items in support of military modernization for \[China's\] People's Liberation Army.”

Yet nearly two years later, Hualan—and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016—still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too.

The disconnect between the Commerce Department’s warnings and Western government customers means that chips sold by Hualan’s subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor’s Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China’s government to stealthily decrypt Western agencies’ secrets.

“If a company is on the Entity List, it’s because the US government says this company is actively supporting another country’s military development,” says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. “It's saying you should not be purchasing from them, not just because the money you’re spending is going to a company that will use those proceeds in the furtherance of another country’s military objectives, but because you can’t trust the product.”

Technically, the Entity List is an “export control” list, says Emily Weinstein, a researcher at Georgetown University's Center for Security and Emerging Technology. That means US organizations are forbidden from exporting components _to_ companies on the list, rather than importing components _from_ them. But Cary, Weinstein, and the Commerce Department note that it's often used as a de facto warning to US customers not to buy from a listed foreign company, either. Both networking firm Huawei and drone-maker DJI have been added to the list, for instance, for their alleged ties to the Chinese military. “It’s used somewhat as a blacklist,” says Weinstein. “The Entity List should be a red or maybe a yellow alert to anyone in the US government who’s working with this company to take a second look at this.”

When WIRED reached out to the Commerce Department's Bureau of Industry and Security, a spokesperson responded that the BIS is restricted by law from commenting to the press on specific companies and that a company's unlisted subsidiary—like Initio—isn't technically affected by the Entity List's legal restrictions. But the spokesperson added that “as a general matter, affiliation with an Entity Listed party should be considered a ‘red flag.’”

Hualan's Initio chips are used in encrypted storage devices as so-called bridge controllers, sitting between the USB connection in a storage device and memory chips or magnetic drive to encrypt and decrypt data on a USB thumbdrive or external hard drive. Security researchers' teardowns have shown that storage device manufacturers including Lenovo, Western Digital, Verbatim, and Zalman have all at times used encryption chips sold by Initio.

But three lesser-known hard drive manufacturers, in particular, also integrate the Initio chips and list Western government, military, and intelligence agencies as customers. The Middlesex, UK-based hard drive maker iStorage lists on its website customers including NATO and the UK Ministry of Defence. South Pasadena, California-based SecureDrive lists as customers the US Army and NASA. And US federal procurement records show that Poway, California-based Apricorn has sold its encrypted storage products—which use Initio chips—to NASA, the Navy, the FAA, and the DEA, among many others.

The encryption features enabled by Initio chips in those drives are designed to protect their data against compromise if the drives are physically accessed, lost, or stolen. But the security of that encryption feature essentially depends on trusting the chip's designer, cryptography experts warn. If there were a secret vulnerability or intentional backdoor in the chips, it would allow anyone who lays hands on any drives that use them—drives are often marketed for use “in the field”—to defeat that feature. And that backdoor could be very, very difficult to detect, cryptographers note, even on the closest inspection.

“In the end, it's a matter of trust, whether you actually trust this vendor and its components with all your sensitive data,” says Matthias Deeg, a security researcher at German cybersecurity firm Syss, who has analyzed the Initio chips. “These kinds of microcontrollers are a black box to me and every other researcher trying to understand how this device is working.”

Last year, Deeg analyzed the first firmware of a Verbatim secure USB thumbdrive that uses an Initio chip and found multiple security vulnerabilities: One allowed him to quickly bypass a fingerprint reader or PIN on the drives and access any “administrative” password that had been set for the drives, a master password feature designed to allow IT administrators to decrypt users' devices. Another flaw allowed him to “brute-force” the decryption key for the drives, deriving the key to access their contents in at most 36 hours.

Deeg says that Initio has since fixed those vulnerabilities. But more troubling, he says, was how tough it was to do that analysis of the devices' firmware. The code had no public documentation, and Hualan didn't respond to his requests for more information. Deeg says the lack of transparency points to how difficult it would be to find a hardware-based backdoor in the chips, such as a minuscule component hidden in their physical design to allow for surreptitious decryption.

He notes, too, that there's no way of knowing whether the vulnerabilities he found were accidental. “Is it better to have a hidden backdoor,” Deeg asks, “or one that is more visible but can be attributed to negligence by the developer?”

Hualan didn't respond to WIRED's multiple requests for comment. But iStorage, the UK-based encrypted hard drive maker that uses Initio chips, told WIRED that its storage devices' architecture means that users don't have to trust Hualan or its Initio subsidiary because the private keys used to encrypt and decrypt data stored on them are generated and stored by a separate chip that comes from a different, France-based manufacturer, and the Initio chip never stores that key. “I appreciate concerns with using Chinese technology, but we’re very confident that even though we’re using these chips, our products cannot be hacked, even by Initio or Hualan,” iStorage's CEO John Michael says. (Michael also noted that some of iStorage products use a chip sold by Taiwanese firm Phison instead of Hualan or Initio, but didn't specify which products.)

Even if a bridge controller chip doesn't create a secret key and isn't intended to store it, however, it still has enough access to it to enable a backdoor, says Matthew Green, a cryptography-focused computer science professor at Johns Hopkins University. After all, a bridge controller performs the encryption and decryption using that secret key, and so could either secretly exfiltrate and store it or furtively encrypt the data with its own, different key. “If the chip has the key and does the encryption, there is a possibility of malfeasance,” Green says.

iStorage also passed on a statement from Initio pointing out that Initio isn't specifically named on Commerce's Entity List, and arguing that Hualan's inclusion on the list doesn't apply to Initio. But the Atlantic Council's Cary argues—echoing the Commerce spokesperson's “red flag” comment to WIRED—that wholly owned subsidiaries of companies on the list are generally considered to effectively be on the list, too. “I don’t buy that line of argument,” Cary says of Initio's claim to not be affected by the Entity List, pointing out that otherwise the list's restrictions could be easily circumvented through the use of subsidiary companies. “If the company that owns you is on the Entity List, you’re included.”

WIRED also reached out to Hualan and Initio customers including NATO, NASA, the US Navy and Army, the DEA, and the FAA. Of those that responded, none would comment on what hardware they buy. But statements from NATO, the US Navy, and the UK Ministry of Defence all repeated that they carefully vet the security of the technology they use. “We have policies in place to address supply chain risk management, as well as established security standards to ensure all procured commercial products and services are inspected for security vulnerabilities,” read a statement from the US Navy, for instance. An FAA spokesperson said the agency complies with government regulations like the National Defense Authorization Act related to the purchase of hardware, but didn't answer questions about purchasing components from companies on Commerce's Entity List.

In fact, several of the encrypted hard drives that use Hualan's and Initio's chips tout that they do have cybersecurity certification from the National Institute of Standards and Technology such as the FIPS 140-2 standard. But Johns Hopkins' Green notes that for that level of certification, NIST generally only checks for accidental vulnerabilities in cryptographic products, not intentionally hidden ones created by a determined adversary.

“These backdoors can be so subtle and clever, and there’s so many ways to do them that you may not even see in the code,” Green says. “It would really shock me if any of these tests are assuming an untrusted manufacturer.”

The mere fact that so many Western government agencies are buying products that include chips **sold by the subsidiary of** a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. “At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments,” he says. “It seems very significant. And it’s probably not a one-off mistake.”

How Shady Chinese Encryption Chips Got Into the Navy, NATO, and NASA

Bluetooth Classic in Bluetooth Core Specification through 5.3 does not properly conceal device information for Bluetooth transceivers in Non-Discoverable mode. By conducting an efficient over-the-air attack, an attacker can fully extract the permanent, unique Bluetooth MAC identifier, along with device capabilities and identifiers, some of which may contain identifying information about the device owner. This additionally allows the attacker to establish a connection to the target device.

Tag

#huawei