[SingCERT] Alert on Critical Remote Code Execution Vulnerabilities (CVE-2019-2027 and CVE-2019-2028) in Android Devices

Published on Wednesday, 03 April 2019 17:21

Background

 

Google has released the April 2019 Android security update to address multiple security vulnerabilities in the Android Open Source Project (AOSP).

 

The two most critical vulnerabilities (CVE-2019-2027 and CVE-2019-2028) affect the Google Media framework which handles media content and Application Programming Interfaces that interact with the device’s multimedia hardware. The vulnerabilities could allow a remote attacker to use a specially crafted malicious file running with elevated privileges, to perform remote code execution on targeted devices.

 

Affected Versions

 

Devices running Android 7.0 and later.

 

Impact

 

Successful exploitation allows an attacker to execute malicious code remotely on the compromised device, which can lead to an effective takeover of the entire device.

 

Recommendation

 

Users are advised to enable automatic updates, look out for and install the latest security patch by respective device manufacturers.

 

References

 

https://source.android.com/security/bulletin/2019-04-01

 

https://www.zdnet.com/article/google-we-just-fixed-these-three-critical-android-bugs-with-april-update/