In order to exploit this issue, a malicious application needs to be installed on the device with an installed version of the app that has a policy that has the “exempt-from-restriction” tag set. The malicious application needs to be installed before the user installs the app that has the “exempt-from-restriction” tag set. If the user installs the app that has the “exempt-from-restriction” tag set before installing the malicious application, the malicious application will be installed instead of the app that has the “exempt-from-restriction” tag set.

CVSS Frequently Asked Questions

Q: What is the scope of CVE-2022-20420?
A: The scope of this issue includes all devices running iOS 9.3 through iOS 12.1, macOS 10.13.3 through macOS 10.14, tvOS 9.0 through tvOS 12.1 and watchOS 3 through watchOS 5 that have installed a malicious application before installing a legitmate app with the “exempt-from-restriction” tag set on the device.

Vulnerability Scenario

When installing an application from the Google Play Store, a user will receive an "Install" button. If the user enters their password before clicking on the "Install" button, then they are prompted for a PIN when installing the app. This is to protect users by prompting them to enter their PIN in order to install an app that doesn't match their current setting.

If a malicious app is installed after the user's device is already installed with an app that has a policy of "exempt-from-restriction", then it will be installed instead of the legitimate application.

CVE-2022-20421

This issue is not exploitable without administrator permissions.

How to avoid the 5 most common mistakes when outsourcing SEO.

Vulnerability Discovery and Recommendation:

The vulnerability is in the application framework for Android. The issue arises when an application developer uses a policy with the “exempt-from-restriction” tag set. This policy allows the application to bypass restrictions and run on any device regardless of OS version, CPU architecture, or file type restrictions. If this policy is used by an application, malicious applications can execute unchecked.
The most impacted users are those who download third party applications from unknown sources or apps that have been modified by someone other than the original developer.
The bug can be exploited quickly by installing a malicious app before downloading an app with this policy and then installing the app after. A user should not worry about security if they only download apps from trusted app stores and do not install apps that have been modified by someone other than their original author.

Timeline

Published on: 10/11/2022 20:15:00 UTC
Last modified on: 10/13/2022 02:49:00 UTC

References