The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
Two flaws are listed below.
- CVE-2023-20963 (CVSS score: 7.8) – Android framework privilege escalation vulnerability
- CVE-2023-29492 (CVSS Score: TBD) – Novi Research Insecure Deserialization Vulnerability
CISA states in its advisory for CVE-2023-20963, “The Android framework contains an unspecified vulnerability that allows privilege escalation without requiring additional execution permissions after updating an app to a higher Target SDK. includes gender.
In its March 2023 monthly Android Security Bulletin, Google acknowledged that “there are indications that CVE-2023-20963 may be under limited targeted attack.”
The development came after technology news site Ars Technica said late last month that an Android app digitally signed by Chinese e-commerce company Pinduoduo had stolen control of the device and exfiltrated sensitive data, citing analysis by mobile security firm Lookout. It is due to revealing that he was weaponized with a flaw to steal.
The main functions of the malware-laden app include increasing Pinduoduo’s daily and monthly active users, uninstalling competing apps, accessing notifications and location, and preventing itself from being uninstalled. included.
In a follow-up report published earlier this month, CNN analyzed version 6.49.0 of the app and found code designed to achieve privilege escalation and even track user activity in other shopping apps. said to have been revealed.
The exploit allowed the malicious app to access the user’s contacts, calendar and photo albums without the user’s consent, requesting “numerous permissions beyond the normal functionality of a shopping app,” the news channel said. I’m here.
It’s worth noting that Google suspended Pinduoduo’s official app from the Play Store in March. This was done due to malware identified in “off-play versions” of the software.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
Save my seat!
However, it is still unclear how these APK files were signed with the same key used to sign the legitimate Pinduoduo app. This indicates either a compromised key, the work of a rogue insider, a compromise of Pinduoduo’s build pipeline, or a deliberate malware distribution attempt by a Chinese company.
The second vulnerability added to the KEV catalog relates to an insecure deserialization vulnerability in Novi Survey software that allows remote attackers to execute code on the server in the context of a service account.
This issue affecting versions of Novi Survey prior to 8.9.43676 was addressed by the Boston-based provider on April 10, 2023. It is currently unknown how this flaw is being exploited in real-world attacks.
To combat the risks posed by the vulnerability, US Federal Civil Administration (FCEB) agencies recommend applying the required patches by May 4, 2023.
