This issue occurs due to a permission bypass, which means that Android does not check the source of the Bluetooth configuration changes when setting up the device for advertising. The affected configuration change is in the Android system code, which controls the advertising behaviour. No user interaction is needed for this issue. The end result is that the device can be set up to advertise itself over Bluetooth, which makes it discoverable. The severity of the issue can be determined by the following Table

Impact - HighLOC: This issue could lead to local escalation of privilege with no additional execution privileges needed.User interaction is not needed for exploitation.

Vulnerability overview

CVE-2022-20396 is a critical privilege escalation vulnerability in Android that allows an attacker to execute code with elevated privileges. The vulnerability exists within the Android system code, which controls the advertising behaviour. No user interaction is needed for exploitation, and it allows an attacker to gain full control of a device.
In order to exploit the vulnerability, an attacker must first obtain root privileges via other means such as exploiting another vector or exploiting a remote code execution bug. Once root has been obtained, the attack can be carried out by running malicious code on the device. This issue could lead to local escalation of privilege with no additional execution privileges needed. A fix has already been pushed to Google’s open source repository and will be included in the next monthly security update for affected devices.

Products Affected by CVE-2022-20396

All Android devices running Android 6.0 and Android 7.0 are affected by this issue.

References https://source.android.com/security/bulletin/CVE-2022-20396.html


The importance of digital marketing can be seen in the benefits it provides for companies and consumers alike. Research from SEMrush shows that 94 percent of respondents believe that digital marketing is effective when it comes to driving traffic and brand awareness, while a study by Forrester Research citing the same source found that digital advertising has accounted for a 50 percent increase in traffic to websites over the last 15 years, with the number of unique audiences nearly doubling during the same time period. With so much emphasis on online marketing strategies, digital experts are needed more than ever. But what does a digital expert actually do?

Android version vulnerability details CVE-2022-20396

This issue occurs due to a permission bypass, which means that Android does not check the source of the Bluetooth configuration changes when setting up the device for advertising. The affected configuration change is in the Android system code, which controls the advertising behaviour. No user interaction is needed for this issue. The end result is that the device can be set up to advertise itself over Bluetooth, which makes it discoverable. The severity of the issue can be determined by the following Table

Timeline

Published on: 09/13/2022 20:15:00 UTC
Last modified on: 09/17/2022 00:07:00 UTC

References