^{CVE-2024-43093:}In Android's ExternalStorageProvider.shouldHideDocument, a Unicode normalization bug allows bypassing the file path filter intended to block access to sensitive directories, enabling local elevation of privilege. Exploitation requires user interaction.

CVE-2024-43093 describes a vulnerability in Android's ExternalStorageProvider.java where the shouldHideDocument path-filter logic can be bypassed due to incorrect Unicode normalization. An attacker with local access could manipulate file paths in a way that normalizes to a location that should be blocked, effectively circumventing protections that are meant to prevent access to sensitive directories. This can lead to local elevation of privilege without requiring any additional execution privileges. For exploitation, user interaction is required. The issue affects Android versions 12.0, 13.0, 14.0, and 15.0, with Google labeling the CVE under the Android framework and providing advisories in the 2024-11-01 security bulletin and related patch notes.

Overview

This vulnerability stems from an incorrect Unicode normalization in the shouldHideDocument logic of Android’s ExternalStorageProvider, which can be abused to bypass a path filter designed to restrict access to sensitive directories. The result is local elevation of privilege, needing user interaction to trigger the exploit. Affected Android releases include 12.0 through 15.0, and the issue has been addressed in the Android security advisories and related patches published around November 2024.

Remediation

• Apply the latest Android security update for affected devices (refer to the Android Security Bulletin 2024-11-01 and vendor patch notes) to obtain the official fix.
• If you are a device manufacturer or ROM builder:
  • Update ExternalStorageProvider-related code to perform robust path normalization, avoiding reliance on potentially brittle Unicode normalization.
  • Use canonical or real paths (for example, resolve symlinks and normalize Unicode using canonical path methods) and strictly validate against a allowlist of safe directories.
  • Add additional checks to ensure that paths cannot traverse into or escape from protected directories.
  • Strengthen tests to detect Unicode normalization bypass scenarios (path normalization, traversal, and directory access tests).
• For app developers and enterprises:
  • Ensure devices receive automatic OS updates or apply manual security patches promptly.
  • Review app behavior that interacts with external storage and minimize permissions or exposure that could be leveraged for path-filter bypass.
  • Educate users about applying updates and enabling automatic updates to reduce exposure time.
• General recommendation: Monitor for security advisories related to Android storage and path handling, and verify that deployed devices are on patched builds as per vendor advisories.

References

• https://android.googlesource.com/platform/frameworks/base/+/67d6e08322019f7ed8e3f80bd6cd16f8bcb809ed
• https://source.android.com/security/bulletin/2024-11-01