Description Preview
Overview
This vulnerability (CVE-2021-0372) is classified as CWE-732, which relates to incorrect permission assignment for critical resources. The issue exists in Android 11's media output handling functionality, specifically in the RemoteMediaSlice.java component. The vulnerable function getMediaOutputSliceAction creates a PendingIntent without properly restricting its scope, allowing potential attackers to hijack the intent and execute operations with elevated privileges. Since no user interaction is required for exploitation, a malicious application could silently exploit this vulnerability to gain additional permissions beyond what it was granted during installation.
Remediation
Users should update their Android devices to the latest security patch level that addresses this vulnerability. Google released a fix for this issue in the March 2021 security bulletin for Pixel devices. Device manufacturers may have incorporated this fix in subsequent security updates.
For developers:
- When creating PendingIntent objects, always specify the exact component to be called and use explicit intents.
- Set appropriate flags like FLAG_IMMUTABLE or FLAG_NO_CREATE to prevent intent hijacking.
- Avoid using implicit intents with PendingIntent whenever possible.
- Review your application's permission handling, especially when dealing with system services.
References
- Android Security Bulletin (Pixel) - March 2021: https://source.android.com/security/bulletin/pixel/2021-03-01
- CWE-732: Incorrect Permission Assignment for Critical Resource: https://cwe.mitre.org/data/definitions/732.html
- Android ID: A-174047735
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
