Google Android September 2021 Security Patch Vulnerabilities: Discover and Take Remote Response Action Using VMDR for Mobile Devices

Swapnil Ahirrao

The recently released Android Security Bulletin for September 2021 addresses 40 vulnerabilities, out of which 7 are rated as critical vulnerabilities. The vulnerabilities affect open-source components such as the Android Framework, Android Media Framework, and Android System. The vulnerabilities also affect Kernel components, MediaTek, Unisoc components, QUALCOMM components, and QUALCOMM closed-source components.

QUALCOMM Closed-source Components Improper Validation of Array Index Vulnerability

Google released a patch to fix an improper validation of array index critical vulnerability (CVE-2021-1933). This vulnerability has a CVSSv3.1 base score of 9.8, and successful exploitation of the vulnerability allows a remote attacker to trigger memory corruption and execute arbitrary code on the target system, which may result in the complete compromise of the vulnerable system. It should be prioritized for patching. It affects the QUALCOMM closed-source component.

QUALCOMM Closed-source Components NULL pointer dereference Vulnerability

Google released a patch to fix a null pointer deference critical vulnerability (CVE-2021-1946). This vulnerability has a CVSSv3.1 base score of 9.8, and successful exploitation of the vulnerability allows a remote attacker to send specially crafted data to the system and execute arbitrary code on the target system, which may result in the complete compromise of the vulnerable system. It should be prioritized for patching. It affects the QUALCOMM closed-source component.

Android Framework Denial of Service Vulnerability

Google released a patch to fix a denial-of-service critical vulnerability (CVE-2021-0687). This vulnerability has a CVSSv3.1 base score of 8.4, and successful exploitation of the vulnerability allows a remote attacker to do a permanent denial of service on the target system, which may result in the complete compromise of the vulnerable system. It should be prioritized for patching. It affects Android versions 8.1, 9, 10, and 11.

Multiple Media Framework Information Disclosure Vulnerability

Google released a patch to fix multiple information disclosure vulnerabilities (CVE-2021-0689, CVE-2021-0690). These vulnerabilities have a CVSSv3.1 base score of 7.8, and successful exploitation of the vulnerability allows a remote attacker to a local malicious application to bypass operating system protections that isolate application data from other applications which may lead to data leakage. It should be prioritized for patching. It affects Android versions 8.1, 9, 10, and 11.

Google fixed 8 high-severity Elevation of Privilege (EoP) vulnerabilities in Framework, and System. They also fixed 8 high-severity Information Disclosure (ID) vulnerabilities in Framework, Media Framework, Kernel Components and System.

The most severe of these issues is a critical security vulnerability in the Framework component that could enable a remote attacker using a specially crafted file to cause a permanent denial of service.’ Google explains. An attacker on successful exploitation can install programs, view, change, or delete data, or create new accounts with full user rights depending upon the privileges associated with the application.

Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices

Discover Assets Missing the Latest Android Security Patch and Update

The first step in managing these critical vulnerabilities and reducing risk is to identify the assets. Qualys VMDR for Mobile Devices makes it easy to identify the assets missing the latest security patch. To get the comprehensive visibility of the mobile devices, you need to install Qualys Cloud Agent for Android or iOS on all mobile devices. The device onboarding process is easy, and the inventory of mobile devices is free.

Query: vulnerabilities.vulnerability.title:”September 2021″

Once you get the list of assets missing the latest security patch, navigate to the Vulnerability tab. Enter the vulnerabilities.vulnerability.title:”September 2021″ and apply the Group By “Vulnerabilities” to get the list of the CVEs which Google fixes in the September security patch. Qualys VMDR helps you understand what kind of risk you are taking by allowing the unpatched device to hold corporate data and connect to your corporate network.

Also, you can apply the Group By “CVE Ids” to get only the list of CVEs fixed by Google in September security updates.

QID 610363 and QID 610366 are available in signature version SEM VULNSIGS-1.0.0.45, and there is no dependency on any specific Qualys Cloud Agent version.

With the VMDR for Mobile Devices dashboard, you can track the status of the assets on which the latest security patch and update is missing. The dashboard will be updated with the latest data collected by Qualys Cloud Agent for Android and iOS devices.

Remote Response Action

You can perform the “Send Message” action to inform the end-user to update the security patch to the latest patch. Also, you may provide step-by-step details to update the security patch.

As of this writing, the September security patch has not been released by most of the manufacturers. For now, it has been released by Google for Pixel, Samsung, LG, and Huawei. For such manufacturers, the vulnerabilities are marked as “Confirmed” for the rest, it is marked as “Potential”. QIDs specific to individual manufacturers are 610362, 610366, 610365, and 610364. 610363 is the QID for the rest of the manufacturers. All are available in signature version SEM VULNSIGS-1.0.0.45.

We recommend updating to the latest Android security patch for the assets where vulnerabilities are detected as “Confirmed”. For the rest of the manufacturers, you can take appropriate action based on asset criticality.

Get Started Now

Qualys VMDR for Mobile Devices is available free for 30 days to help customers detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions available on Google Play Store. You can try our solution by registering for the free 30-day service.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *