{"id":24295,"date":"2024-04-15T18:44:56","date_gmt":"2024-04-16T02:44:56","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/04\/15\/news-18025\/"},"modified":"2024-04-15T18:44:56","modified_gmt":"2024-04-16T02:44:56","slug":"news-18025","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/04\/15\/news-18025\/","title":{"rendered":"Google patches critical vulnerability for Androids with Qualcomm chips"},"content":{"rendered":"\n

In April\u2019s update for the Android operating system (OS)<\/a>, Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm<\/a> chips.<\/p>\n

You can find your device\u2019s Android version number, security update level, and Google Play system level in your Settings app. You\u2019ll get notifications when updates are available for you, but you can also check for updates.<\/p>\n

If your Android phone is at patch level 2024-04-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn\u2019t always mean<\/a> that the patches are available for devices from all vendors.<\/p>\n

For most phones it works like this: Under About phone<\/strong> or About device<\/strong> you can tap on Software updates<\/strong> to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.<\/p>\n

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Qualcomm CVE is listed as CVE-2023-28582<\/a>. It has a CVSS score<\/a> of 9.8 out of 20 and is described as a memory corruption in Data Modem while verifying hello-verify message during the Datagram Transport Layer Security (DTLS) handshake.<\/p>\n

The cause of the memory corruption lies in a buffer copy without checking the size of the input. Practically, this means that a remote attacker can cause a buffer overflow during the verification of a DTLS handshake, allowing them to execute code on the affected device.<\/p>\n

Another vulnerability highlighted by Google is CVE-2024-23704<\/a>, an elevation of privilege (EoP) vulnerability in the System component that affects Android 13 and Android 14.<\/p>\n

This vulnerability could lead to local escalation of privilege with no additional execution privileges needed. Local privilege escalation happens when one user acquires the system rights of another user. This could allow an attacker to access information they shouldn\u2019t have access to, or perform actions at a higher level of permissions.<\/p>\n

Pixel users<\/h3>\n

Google warns Pixel users<\/a> that there are indications that two high severity vulnerabilities may be under limited, targeted exploitation. These vulnerabilities are:<\/p>\n