Main Vulnerability Database Vulnerabilities #VU37273

Input validation error in Google Android - CVE-2017-13284

Published: April 4, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37273

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-13284

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Google Android

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In config_set_string of config.cc, it is possible to pair a second BT keyboard without user approval due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-70808273.

How to mitigate CVE-2017-13284

Install update from vendor's website.

Sources

https://source.android.com/security/bulletin/2018-04-01

Input validation error in Google Android - CVE-2017-13284

Detailed vulnerability description

How to mitigate CVE-2017-13284

Sources

Please verify you're human