January 31, 2024 at 02:16PM
A proof-of-concept (PoC) exploit for CVE-2023-45779, a local privilege elevation flaw affecting seven Android OEMs, has been publicly released on GitHub by Meta’s Red Team X. The flaw, addressed in Android’s December 2023 security update, results from insecure signing of APEX modules. Devices with the 2023-12-05 security patch are protected. Expertise and physical access are required to exploit the flaw.
The meeting notes disclose the discovery of a local privilege elevation flaw, tracked as CVE-2023-45779, impacting several Android OEMs. The flaw was identified by Meta’s Red Team X and is related to insecure APEX module signing using test keys, allowing the potential for malicious updates and local privilege elevation. The flaw was addressed in Android’s December 2023 security update, but it exposes weaknesses in the Compatibility Test Suite and Android Open Source Project documentation that Google plans to address in the upcoming Android 15 release.
Several OEMs, including ASUS, Microsoft, Nokia, Nothing, VIVO, Lenovo, and Fairphone, are potentially impacted, with confirmed vulnerabilities from testing and inadequate documentation. However, several OEMs such as Google, Samsung, Xiaomi, OPPO, Sony, Motorola, and OnePlus are confirmed not to be vulnerable to CVE-2023-45779 due to their use of private keys for APEX module signing.
Furthermore, an exploit for CVE-2023-45779 is now public on GitHub. While the exploit primarily requires physical access and ‘adb shell’ expertise and is intended for research and mitigation validation, there is a possibility of it being used as part of an exploit chain to elevate privileges on compromised devices. Users are advised to ensure their Android devices have received the security patch level 2023-12-05 or higher, or consider switching to an actively supported distribution or upgrading to a newer model if their devices are running older security patch levels.