The recently released Android Security Bulletin for July 2021 addresses 44 vulnerabilities, out of which 7 are rated as critical vulnerabilities. The vulnerabilities affect open-source components such as the Android Framework, Android Media Framework, and Android System. The vulnerabilities also affect Widevine DRM, MediaTek, QUALCOMM components, and QUALCOMM closed-source components.
Widevine DRM Remote Code Execution (RCE) Vulnerability
Google released a patch to fix an RCE critical vulnerability (CVE-2021-0592). This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching. It affects the Widevine component.
QUALCOMM Component Buffer Overflow Vulnerability
Google released a patch to fix a buffer overflow critical vulnerability (CVE-2021-1965). This vulnerability has a CVSSv3 base score of 9.8, and possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse. It should be prioritized for patching. It affects the QUALCOMM component.
QUALCOMM Closed-Source Components Multiple Critical Vulnerabilities
Google released a patch to fix multiple critical vulnerabilities (CVE-2020-11307, CVE-2021-1886, CVE-2021-1888, CVE-2021-1889, CVE-2021-1890). These vulnerabilities have a CVSSv3 base score of 9.8 and 8.4 and should be prioritized for patching. It affects the QUALCOMM closed-source components.
Media Framework Escalation of Privilege (EoP) Vulnerability
Google released a patch to fix a high vulnerability (CVE-2021-0587). This vulnerability has a CVSSv3 base score of 8.4 and should be prioritized for patching. It affects Android versions 8.1, 9, 10, and 11.
Google fixed 2 high-severity Remote code execution (RCE) vulnerabilities in the System and fixed 10 high-severity Elevation of Privilege (EoP) vulnerabilities in Framework, Media Framework, and System. They also fixed 9 high-severity Information Disclosure (ID) vulnerabilities in Framework, Media Framework, and System.
‘The most severe of these issues is a high security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,’ Google explains. An attacker on successful exploitation can install programs, view, change, or delete data, or create new accounts with full user rights depending upon the privileges associated with the application.
Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices
Discover Assets Missing the Latest Android Security Patch
The first step in managing these critical vulnerabilities and reducing risk is to identify the assets. Qualys VMDR for Mobile Devices makes it easy to identify the assets missing the latest security patch. To get the comprehensive visibility of the mobile devices, you need to install Qualys Cloud Agent for Android or iOS on all mobile devices. The device onboarding process is easy, and the inventory of mobile devices is free.
vulnerabilities.vulnerability.title: ’July 2021’
Once you get the list of assets missing the latest security patch, navigate to the Vulnerability tab and apply the Group By “Vulnerabilities” to get the list of the CVEs which Google fixes in the July security patch. Qualys VMDR helps you understand what kind of risk you are taking by allowing the unpatched device to hold corporate data and connect to your corporate network.
QID 610352 and QID 610355 are available in signature version SEM VULNSIGS-184.108.40.206, and there is no dependency on any specific Qualys Cloud Agent version.
With the VMDR for Mobile Devices dashboard, you can track the status of the assets on which the latest security patch is missing. The dashboard will be updated with the latest data collected by Qualys Cloud Agent for Android devices.
Remote Response Action
You can perform the “Send Message” action to inform the end-user to update the security patch to the latest patch. Also, you may provide step-by-step details to update the security patch.
As of this writing, the July security patch is not released by most of the manufacturers. For now, it has been released by Google for Pixel, Samsung, Huawei, and LG. For such manufacturers, the vulnerabilities are marked as “Confirmed”; for the rest, it is marked as “Potential”. QIDs specific to individual manufacturers are 610351, 610355, 610353, and 610354 is the QID for the rest of the manufacturers. All are available in signature version SEM VULNSIGS-220.127.116.11.
We recommend updating to the latest security patch for the assets where vulnerabilities are detected as “Confirmed”. For the rest of the manufacturers, you can take appropriate action based on the asset criticality.
Get Started Now
Qualys VMDR for Mobile Devices is available free for 30 days to help customers detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions available on Google Play Store. To see for yourself, get a free 30-day trial of VMDR for Mobile Devices.