SB2020081280 - Remote code execution in Google Play Core Library

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2020-8913)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences inside apk files in Android's Play Core Library within the SplitCompat.install endpoint. A remote attacker can create a specially crafted APK file that targets a specific application, trick the victim into installing that APK and gain full access to the targeted application.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system but requires that the victim willingly installs a malicious application.

Remediation

Install update from vendor's website.

References

• https://blog.oversecured.com/Oversecured-automatically-discovers-persistent-code-execution-in-the-Google-Play-Core-Library/
• https://developer.android.com/reference/com/google/android/play/core/release-notes#1-7-2