The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Added Two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploits.
Two flaws are listed below.
- CVE-2023-20963 (CVSS score: 7.8) – Android framework privilege escalation vulnerability
- CVE-2023-29492 (CVSS Score: TBD) – Novi Research Insecure Deserialization Vulnerability
“The Android framework contains an unspecified vulnerability that allows privilege escalation without requiring additional execution permissions after updating an app to a higher target SDK,” CISA said. . Said In the advisory for CVE-2023-20963.
Google announced in its March 2023 monthly Android security bulletin, Admitted “There are indications that CVE-2023-20963 may be under limited targeted attacks.”
Development is provided as a technical news site, Ars Technica. disclosed An Android app digitally signed by Chinese e-commerce company Pinduoduo is weaponizing the flaw as a zero-day attack to take control of devices and steal sensitive data, citing analysis by mobile security firm Lookout. was announced at the end of last month.
The main functions of the malware-laden app include increasing Pinduoduo’s daily and monthly active users, uninstalling competing apps, accessing notifications and location, and preventing itself from being uninstalled. included.
CNN, ex-post report Analysis of version 6.49.0 of the app revealed code designed to achieve privilege escalation and even track user activity in other shopping apps.
The exploit allowed the malicious app to access the user’s contacts, calendar and photo albums without the user’s consent, requesting “numerous permissions beyond the normal functionality of a shopping app,” the news channel said. I’m here.
Worth pointing out is that Google pause Pinduoduo’s official app, released from the Play Store in March, cites malware identified in an “off-play version” of the software.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
However, it is still unclear how these APK files were signed with the same key used to sign the legitimate Pinduoduo app. This indicates either a compromised key, the work of a rogue insider, a compromise of Pinduoduo’s build pipeline, or a deliberate malware distribution attempt by a Chinese company.
The second vulnerability added to the KEV catalog relates to an insecure deserialization vulnerability in Novi Survey software that allows remote attackers to execute code on the server in the context of a service account.
The issue affecting versions of Novi Survey prior to 8.9.43676 is handle It was reported by the Boston-based provider earlier this week on April 10, 2023. It is currently unknown how this flaw is being exploited in real-world attacks.
To combat the risks posed by the vulnerability, US Federal Civil Administration (FCEB) agencies recommend applying the required patches by May 4, 2023.
