CVE-2017-13266:Stack corruption vulnerability in Android's Bluetooth AVRC parsing component allows remote code execution.

splash
Back

Description Preview

CVE-2017-13266 is a critical vulnerability in Android's Bluetooth AVRCP (Audio/Video Remote Control Profile) implementation. The issue exists in the avrc_pars_vendor_cmd function of avrc_pars_tg.cc file, where a missing bounds check can lead to stack corruption. This vulnerability affects Android versions 5.1.1 through 8.1 and could allow an attacker to execute arbitrary code remotely on affected devices without requiring additional privileges or user interaction.

Overview

This vulnerability (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) exists in the Bluetooth stack of Android devices. The specific issue is in the AVRCP component that handles vendor commands. When processing these commands, the code fails to properly validate input boundaries, which can lead to stack corruption. An attacker within Bluetooth range could exploit this vulnerability to execute malicious code with the privileges of the Bluetooth service. The attack doesn't require user interaction or special permissions, making it particularly dangerous. All Android devices running versions 5.1.1 through 8.1 are affected.

Remediation

Users should update their Android devices to the latest security patch level. Google addressed this vulnerability in the March 2018 Android Security Bulletin. The following actions are recommended:

  1. Check your current Android version and security patch level under Settings > About phone > Android version and Security patch level.
  2. Enable automatic system updates if available.
  3. Apply all pending system updates immediately.
  4. If updates are not available for your device, consider disabling Bluetooth when not in use to reduce the attack surface.
  5. Only connect to trusted Bluetooth devices and avoid pairing in public locations where attackers might be present.

References

  1. Android Security Bulletin March 2018: https://source.android.com/security/bulletin/2018-03-01
  2. SecurityFocus vulnerability details: http://www.securityfocus.com/bid/103253
  3. Android bug tracker reference: A-69478941
  4. CWE-119: https://cwe.mitre.org/data/definitions/119.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Low
    Manufacturing
  2. Public Administration: Low
    Public Administration
  3. Educational Services: Low
    Educational Services
  4. Finance and Insurance: Low
    Finance and Insurance
  5. Transportation & Warehousing: Low
    Transportation & Warehousing
  6. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  7. Information: Low
    Information
  8. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  9. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  10. Accommodation & Food Services: Low
    Accommodation & Food Services
  11. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  12. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  13. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  14. Construction: Low
    Construction
  15. Mining: Low
    Mining
  16. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Retail Trade: Low
    Retail Trade
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background