SB2019101110 - Incorrect default permissions in Google, Google Android
Published: October 11, 2019 Updated: November 3, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Incorrect default permissions (CVE-ID: CVE-2019-2114)
CWE-ID: CWE-276 - Incorrect Default Permissions
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions within the Android Beam service when installing application transferred via NFC. An attacker with physical proximity to the device can transfer a malicious application to the device and trick the victim into installing it just by tapping on the notification. No additional warnings are displayed for apps, transferred via NFC beaming.
Remediation
Install update from vendor's website.