Google fixes a critical DoS flaw tracked as CVE-2019-2232 in Android

Google addressed a critical vulnerability, tracked as CVE-2019-2232, that could trigger a permanent denial of service (DoS) condition in Android.

Google released December 2019 security updates for its Android mobile OS that addressed several flaws, including a critical vulnerability, tracked as CVE-2019-2232, that could result in a permanent denial of service (DoS).

Google addressed more than 40 vulnerabilities, including 17 as part of the 2019-12-01 security patch level, and 27 more in the 2019-12-05 security patch level.

The 2019-12-01 security patch level addressed six issues that reside in the Framework, two in the Media framework, seven in the System, and two in the Google Play system updates.

The critical CVE-2019-2232 DoS flaw affects the Framework component, it can be exploited by a remote attacker to cause a permanent DoS condition by sending a specially crafted message. The flaw affects Android versions 8.0, 8.1, 9, and 10.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted message to cause a permanent denial of service.” reads the security advisory published by Google.

Google also addressed other 5 issues in the Framework, three high-severity elevation of privilege flaws (CVE-2019-9464, CVE-2019-2217, CVE-2019-2218), one high-risk information disclosure (CVE-2019-2220), and one medium-severity elevation of privilege bug (CVE-2019-2221).

The vulnerabilities patched in System are high severity issues that include a remote code execution, an elevation of privilege, and five information disclosure weaknesses.

The flaws addressed in the Media framework are RCE flaws rated as moderate severity, they impact Android 10.

The 2019-12-05 security patch level addresses one high-severity information disclosure issue in Framework and one in the System. It also fixes three high-risk elevation of privilege issues in Kernel and twelve high-severity vulnerabilities in Qualcomm components.

Moreover, it also brings patches for a total of ten flaws in Qualcomm closed-source components, three of which are considered critical, and seven rated high risk.

Google also addressed a collection of security vulnerabilities on Pixel devices only.

“The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices).” reads the Pixel Update Bulletin—December 2019.

“For Google devices, security patch levels of 2019-12-05 or later address all issues in this bulletin and all issues in the December 2019 Android Security Bulletin.”

Pierluigi Paganini

(SecurityAffairs – Google, Android CVE-2019-2232)

Share On