CVE-2024-44092

In TBD of TBD, there is a possible LCS signing enforcement missing due to test/debugging code left in a production build. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://source.android.com/security/bulletin/pixel/2024-09-01	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

History

18 Sep 2024, 13:51

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.4~~	v2 : unknown v3 : 7.8
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:o:google:android:-:::::::*
First Time		Google android Google
References	~~() https://source.android.com/security/bulletin/pixel/2024-09-01 -~~	() https://source.android.com/security/bulletin/pixel/2024-09-01 - Vendor Advisory

16 Sep 2024, 15:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.4
CWE		CWE-489
Summary		(es) En el futuro próximo, es posible que falte una implementación de firma de LCS debido a que se dejó código de prueba o depuración en una compilación de producción. Esto podría generar una escalada local de privilegios sin necesidad de permisos de ejecución adicionales. No se necesita interacción del usuario para la explotación.

13 Sep 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-13 21:15

Updated : 2024-09-18 13:51

NVD link : CVE-2024-44092

Mitre link : CVE-2024-44092

CVE.ORG link : CVE-2024-44092

JSON object : View

Products Affected

google

android

CWE

NVD-CWE-noinfo CWE-489

Active Debug Code

{"id": "CVE-2024-44092", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.4}]}, "published": "2024-09-13T21:15:10.560", "references": [{"url": "https://source.android.com/security/bulletin/pixel/2024-09-01", "tags": ["Vendor Advisory"], "source": "dsap-vuln-management@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-489"}]}], "descriptions": [{"lang": "en", "value": "In TBD of TBD, there is a possible LCS signing enforcement missing due to test/debugging code left in a production build. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}, {"lang": "es", "value": "En el futuro pr\u00f3ximo, es posible que falte una implementaci\u00f3n de firma de LCS debido a que se dej\u00f3 c\u00f3digo de prueba o depuraci\u00f3n en una compilaci\u00f3n de producci\u00f3n. Esto podr\u00eda generar una escalada local de privilegios sin necesidad de permisos de ejecuci\u00f3n adicionales. No se necesita interacci\u00f3n del usuario para la explotaci\u00f3n."}], "lastModified": "2024-09-18T13:51:12.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}], "operator": "OR"}]}], "sourceIdentifier": "dsap-vuln-management@google.com"}