PEPPERL+FUCHS Linux Kernel Vulnerability on ecom Mobile Devices

VDE-2019-021 (2019-11-07 11:31 UTC+0200)

CVE Identifier

CVE-2019-2215

Affected Vendors

PEPPERL+FUCHS

Affected Products

Tab-Ex 01, Smart-Ex 01, Smart-Ex 201, Ex-Handy 09, Ex-Handy 209

Vulnerability Type

Use After Free (CWE-416)

Summary

A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel, AOSP android 3.18 kernel, AOSP android 4.4 kernel, and AOSP android 4.9 kernel. This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even if the owners have installed the latest Android security updates.

Impact

Pepperl+Fuchs analyzed its ecom branded mobile device portfolio in respect Android Binder Driver Use After Free attacks. To our current knowledge only Tab-Ex 01, Smart-Ex 01, Smart-Ex 201, Ex-Handy 09, Ex-Handy 209 are potentially affected by these vulnerabilities.

In order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system.

ecom mobile devices are normally used in the corporate network. This implies that outgoing connections and local software installations have to be configured by administrators. If these steps are taken, this greatly reduces the risk of unwittingly accessing malicious content and executing unknown code, e.g. by accessing a website that was prepared by an attacker.

Solution

As the manufacturer of the original devices no longer delivers any updates, there will be no updates for this vulnerability.

Device users can at least reduce the likelihood of active attacks by limiting the app installation to the bare essentials, using the Play Store whenever possible. Corporate devices should be restricted by an administrator through a Mobile Device Management or similar.

Reported by

Google Project Zero researchers Maddie Stone