CVE-2023-49794

KernelSU is a Kernel-based root solution for Android devices. In versions 0.7.1 and prior, the logic of get apk path in KernelSU kernel module can be bypassed, which causes any malicious apk named `me.weishu.kernelsu` get root permission. If a KernelSU module installed device try to install any not checked apk which package name equal to the official KernelSU Manager, it can take over root privileges on the device. As of time of publication, a patched version is not available.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://drive.google.com/file/d/1b9UrmG_co9EJXB_yMBneRArUIR5sTuaN/view?usp=drive_link	Product
https://github.com/tiann/KernelSU/security/advisories/GHSA-8rc5-x54x-5qc4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kernelsu:kernelsu:*:*:*:*:*:*:*:*

History

08 Jan 2024, 19:37

Type	Values Removed	Values Added
First Time		Kernelsu kernelsu Kernelsu
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CPE		cpe:2.3:a:kernelsu:kernelsu::::::::
References	~~() https://github.com/tiann/KernelSU/security/advisories/GHSA-8rc5-x54x-5qc4 -~~	() https://github.com/tiann/KernelSU/security/advisories/GHSA-8rc5-x54x-5qc4 - Exploit, Vendor Advisory
References	~~() https://drive.google.com/file/d/1b9UrmG_co9EJXB_yMBneRArUIR5sTuaN/view?usp=drive_link -~~	() https://drive.google.com/file/d/1b9UrmG_co9EJXB_yMBneRArUIR5sTuaN/view?usp=drive_link - Product

02 Jan 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-02 20:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-49794

Mitre link : CVE-2023-49794

CVE.ORG link : CVE-2023-49794

JSON object : View

Products Affected

kernelsu

kernelsu

CWE

CWE-290

Authentication Bypass by Spoofing

{"id": "CVE-2023-49794", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2024-01-02T20:15:10.020", "references": [{"url": "https://drive.google.com/file/d/1b9UrmG_co9EJXB_yMBneRArUIR5sTuaN/view?usp=drive_link", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tiann/KernelSU/security/advisories/GHSA-8rc5-x54x-5qc4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "KernelSU is a Kernel-based root solution for Android devices. In versions 0.7.1 and prior, the logic of get apk path in KernelSU kernel module can be bypassed, which causes any malicious apk named `me.weishu.kernelsu` get root permission. If a KernelSU module installed device try to install any not checked apk which package name equal to the official KernelSU Manager, it can take over root privileges on the device. As of time of publication, a patched version is not available."}, {"lang": "es", "value": "KernelSU es una soluci\u00f3n ra\u00edz basada en Kernel para dispositivos Android. En las versiones 0.7.1 y anteriores, se puede omitir la l\u00f3gica de obtener la ruta de la apk en el m\u00f3dulo del kernel KernelSU, lo que hace que cualquier apk malicioso llamado `me.weishu.kernelsu` obtenga permiso de root. Si un dispositivo con el m\u00f3dulo KernelSU instalado intenta instalar cualquier apk no marcado cuyo nombre de paquete sea igual al administrador oficial de KernelSU, puede asumir los privilegios de root en el dispositivo. Al momento de la publicaci\u00f3n, no hay una versi\u00f3n parcheada disponible."}], "lastModified": "2024-01-08T19:37:53.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kernelsu:kernelsu:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C6A3ED4-679D-46F9-A6EF-EF7A2D7E9135", "versionEndIncluding": "0.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}