ASPL 2023-09-01 / CVE-2023-35674

Man holding iphone with android icon on display

Lookout Coverage and Recommendation for Admins

With 4 critical vulnerabilities, including an actively exploited one, the September 2023 ASPLs should be installed as soon as it’s available for any Android device. The two patches listed are: 2023-09-01 and 2023-09-05. Please set the compliance policies in the Lookout admin console for minimum security patch level of 2023-09-01 to alert end users that they are at risk. This will also provide them steps on how to update and resolve the issue.

We highly recommend to set the devices to automatically update to the latest Android Security Patch Levels (ASPLs) as this minimizes the time gap between when a vulnerability becomes known and when the device is patched against it. Most vulnerabilities are exploited in this period of lag time, which varies based on the manufacturer of your Android device since each manufacturer must test and push the patch independently of the original release.

Overview

An Android framework privilege escalation vulnerability, tracked as CVE-2023-35674, was recently discovered being exploited in the wild, and has since been fixed by the 2023-09-01 Android security patch level (ASPL) released by Google. Several manufacturers (Samsung, One Plus) have already released the updated patch, which is known to affect Android 11, 12, 12L and 13. Users with older devices should consider upgrading their devices or restricting corporate access on these older devices. Per NIST, the vulnerability has a score of 7.8 and is also listed in CISA’s known exploited vulnerabilities catalog with a due date of October 4th, 2023, by which all government organizations must either fix the devices or phase them out.

‍

Lookout Analysis

CVE-2023-35674 is a zero-day threat that allows the attackers to escalate their privileges without needing any user interaction or any additional execution privileges. The September Android security update fixes three additional critical vulnerabilities within the Android System component. These are:

CVE-2023-35658: use after free weakness in gatt_cl.cc component
CVE-2023-35673: out-of-bounds write due to integer overflow in gatt_cl component
CVE-2023-35681: out-of-bounds write due to integer overflow in eatt_impl component

Since a successful exploit of these vulnerabilities could enable remote code execution behavior without needing additional privileges, organizations should consider them highly severe and critical to update.

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.