- Jul 22, 2014
- 2,525
The zero-day vulnerability could enable privilege escalation, and is not part of Google’s Android September security update.
Researchers are warning of a high-severity zero-day vulnerability in Google’s Android operating system, which if exploited could give a local attacker escalated privileges on a target’s device.
The specific flaw exists within the v4l2 (Video4Linux 2) driver in Android. When exploited, a component within the v4l2 “does not validate the existence of an object prior to performing operations on the object,” according to researchers with Zero Day Initiative (ZDI). Researchers said an attacker with physical access to the Android device could leverage the flaw to escalate privileges in the context of the kernel, which typically allows an attacker to take control of the targeted device.
“An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability,” according to ZDI researchers who discovered the flaw and publicly disclosed the bug on Wednesday,
ZDI did not reply to Threatpost questions ranging from how an attack specifically would be carried out and the nature of the “low-privileged” code needed to be executed to launch an attack. The vulnerability scores 7.8 out of 10 on the CVSS scale, making it high-severity.
Researchers first discovered and reported the flaw on March 13, 2019.
...
...
Researchers are warning of a high-severity zero-day vulnerability in Google’s Android operating system, which if exploited could give a local attacker escalated privileges on a target’s device.
The specific flaw exists within the v4l2 (Video4Linux 2) driver in Android. When exploited, a component within the v4l2 “does not validate the existence of an object prior to performing operations on the object,” according to researchers with Zero Day Initiative (ZDI). Researchers said an attacker with physical access to the Android device could leverage the flaw to escalate privileges in the context of the kernel, which typically allows an attacker to take control of the targeted device.
“An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability,” according to ZDI researchers who discovered the flaw and publicly disclosed the bug on Wednesday,
ZDI did not reply to Threatpost questions ranging from how an attack specifically would be carried out and the nature of the “low-privileged” code needed to be executed to launch an attack. The vulnerability scores 7.8 out of 10 on the CVSS scale, making it high-severity.
Researchers first discovered and reported the flaw on March 13, 2019.
...
...
Last edited by a moderator:
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}