One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8221922 |
| Date de publication | 2022-11-22 13:05:40 (vue: 2022-11-25 18:05:33) |
| Titre | Mind the Gap |
| Texte | By Ian Beer, Project Zero Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo and others). Devices with a Mali GPU are currently vulnerable. Introduction In June 2022, Project Zero researcher Maddie Stone gave a talk at FirstCon22 titled 0-day In-the-Wild Exploitation in 2022…so far. A key takeaway was that approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities. This finding is consistent with our understanding of attacker behavior: attackers will take the path of least resistance, and as long as vendors don't consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. The presentation discussed an in the wild exploit targeting the Pixel 6 and leveraging CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by a large number of other Android devices. ARM's advisory described the vulnerability as: Title Mali GPU Kernel Driver may elevate CPU RO pages to writable CVE CVE-2022-22706 (also reported in CVE-2021-39793) Date of issue 6th January 2022 Impact A non-privileged user can get a write access to read-only memory pages [sic]. The week before FirstCon22, Maddie gave an internal preview of her talk. Inspired by the description of an in-the-wild vulnerability in low-level memory management code, fellow Project Zero researcher Jann Horn started auditing the ARM Mali GPU driver. Over the next three weeks, Jann found five more exploitable vulnerabilities (2325, 2327, |
| Envoyé | Oui |
| Condensat | introduction 2021 2022 2022…so 22706 2325 2327 2331 2333 2334 33917 36449 39793 access action additional addresses advisory affected after all allowing also analysis android anecdotally any app applies approximately are arguably arm as: assigning attacker attackers auditing august available been beer before behavior: being benefits best between blocking blog blogpost broad bug bulletins but bypassing can case cause check closely closer code collided companies compiled complete conclusion condition consistent consistently containing context continue corruption could cpu currently cve cve cve data date day days derestricted derestricting described description developer devices disclosed disclosing disclosure discover discovered discussed don downstream driver effectiveness elevate enable end entries even example examples execution exploit exploitable exploitation far fellow finding first firstcon22 firstcon22 titled five fix fixed fixes fixing follow forcing found free from full gain gap gave get gpu had half has have heard her horn ian impact a important including incomplete inspired internal investing isn issue 6th issues jann january july june just kernel key known large late lead leads least level leveraging line list long look looking low maddie made mali management market may memory mentioned mid mind minimizing model more multiple native need next non not note: novel number observed once one ones only oppo other others over page pages patch patched patches path perform permissions permits physical pixel policy possible post presentation preview previously privileged project promptly provide provided public publication publishing quickly read receive recently recommended reference: release remain remaining reported reports researcher resistance returned reuse revive root same samsung saw scenarios security see september sic sometimes soon source sources started stone system table tables take takeaway taking talk targeting test them then these thorough three time title mali too tracker tracker: trying understanding update we updates upstream use used user users userspace variant variants vendor vendors vigilant vulnerabilities vulnerabilities page vulnerability vulnerable waited website week weeks when where which wild will worth would writable write xiaomi yet zero |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.