A proof-of-concept (PoC) exploit for a local privilege elevation flaw impacting at least seven Android original equipment manufacturers (OEMs) is now publicly available on GitHub. However, as the exploit requires local access, its release will mostly be helpful to researchers.
Tracked as CVE-2023-45779, the flaw was discovered by Meta’s Red Team X in early September 2023 and was addressed in Android’s December 2023 security update without disclosing details an attacker could use to discern and exploit it.
The vulnerability exists due to the insecure signing of APEX modules using test keys, allowing attackers to push malicious updates to platform components, leading to local privilege elevation.
Although the vulnerability isn’t directly exploitable remotely, it highlights weaknesses in the Compatibility Test Suite (CTS) and Android Open Source Project (AOSP) documentation that Google plans to address in the upcoming Android 15 release.
Devices that have received Android security patch level 2023-12-05 are secured against CVE-2023-45779.
Insecure APEX signing
Meta’s Tom Hebb published a write-up explaining that the issue lies in the signing of APEX modules using publicly available test keys from the AOSP.
APEX modules enable OEMs to push updates on specific system components without issuing a full over-the-air (OTA) update, making the update packages leaner and easier to test and deliver to the end users.
These modules should be signed with a private key known only to the OEM, created during the build process. However, using the same public key found in the Android source code build tree means anyone could forge critical system component updates.
Such updates could give attackers elevated privileges on the device, bypassing existing security mechanisms and resulting in full compromise.
CVE-2023-45779 impacts many OEMs, including ASUS (tested on Zenfone 9), Microsoft (Surface Duo 2), Nokia (G50), Nothing (Phone 2), VIVO (X90 Pro), Lenovo (Tab M10 Plus), and Fairphone (5).
The above models concern only the test coverage, so multiple, if not all, models from these seven OEMs are likely vulnerable to CVE-2023-45779. Fairphone’s bulletin on the issue confirms this.
Hebb says the reason multiple OEMs missed the security problem is multifaceted, including unsafe default settings in AOSP, inadequate documentation, and insufficient coverage by the CTS, which failed to detect the use of test keys in the APEX signatures.
OEMs whose device models were tested by Meta’s analysts and were confirmed not to be vulnerable to CVE-2023-45779 thanks to using private keys are Google (Pixel), Samsung (Galaxy S23), Xiaomi (Redmi Note 12), OPPO (Find X6 Pro), Sony (Xperia 1 V), Motorola (Razr 40 Ultra), and OnePlus (10T).
The researchers released an exploit for CVE-2023-45779 on GitHub, making it widely available, but that doesn’t mean that users who haven’t received a fix yet should be particularly worried.
Typically, the flaw would require physical access to the target device and some expertise in using ‘adb shell’ to exploit it, so the PoC is primarily intended for research and mitigation validation.
However, as we have seen multiple times, there’s always the possibility of the exploit being used as part of an exploit chain to elevate privileges on an already compromised device.
If your Android device runs anything older than Android security patch level 2023-12-05, consider switching to an actively supported distribution or upgrading to a newer model.