CVE-2023-45779

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-45779
In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the referenced links.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962
https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html
https://source.android.com/security/bulletin/2023-12-01 Vendor Advisory
https://www.fairphone.com/en/2024/01/30/security-update-apex-modules-vulnerability-fixed/
Configurations

Configuration 1 (hide)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
History

01 Feb 2024, 00:15

Type Values Removed Values Added
Summary (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the links below: https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the referenced links.
References
  • () https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 -
  • () https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html -
  • () https://www.fairphone.com/en/2024/01/30/security-update-apex-modules-vulnerability-fixed/ -

31 Jan 2024, 00:15

Type Values Removed Values Added
Summary (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the links below: * https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html * https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the links below: https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962

30 Jan 2024, 23:15

Type Values Removed Values Added
Summary (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the links below: https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the links below: * https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html * https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962

30 Jan 2024, 18:15

Type Values Removed Values Added
Summary (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the links below: https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962

26 Jan 2024, 23:15

Type Values Removed Values Added
Summary (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the following links (which go live Jan 30th, 2024). (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

26 Jan 2024, 22:15

Type Values Removed Values Added
Summary (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the following links (which go live Jan 30th, 2024): * https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html * https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 * https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the following links (which go live Jan 30th, 2024).

26 Jan 2024, 18:15

Type Values Removed Values Added
Summary (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the following links: * https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html * https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 * https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the following links (which go live Jan 30th, 2024): * https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html * https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 * https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed

26 Jan 2024, 17:15

Type Values Removed Values Added
Summary (en) In TBD of TBD, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (en) In the APEX module framework of AOSP, there is a possible malicious update to platform components due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. More details on this can be found in the following links: * https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html * https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-wmcc-g67r-9962 * https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed https://www.fairphone.com/en/2023/12/22/security-update-apex-modules-vulnerability-fixed

08 Dec 2023, 15:30

Type Values Removed Values Added
CPE cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
First Time Google
Google android
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
CWE NVD-CWE-noinfo
References () https://source.android.com/security/bulletin/2023-12-01 - () https://source.android.com/security/bulletin/2023-12-01 - Vendor Advisory

04 Dec 2023, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-04 23:15

Updated : 2024-02-01 00:15

NVD link : CVE-2023-45779

Mitre link : CVE-2023-45779

CVE.ORG link : CVE-2023-45779

JSON object : View

Products Affected

google

  • android
CWE
NVD-CWE-noinfo