Google has released the second part of the May security patch for Android, including a fix for an actively exploited Linux kernel vulnerability.
The flaw, tracked as CVE-2021-22600, is a privilege escalation bug in the Linux kernel that threat actors can exploit via local access. As Android uses a modified Linux kernel, the vulnerability also affects the operating system.
Google’s researchers disclosed the Linux vulnerability in January and also introduced a fix that was responsibly disclosed to Linux vendors. However, it has taken a few months to fix this vulnerability in Google’s own Android operating system.
In April, CISA disclosed that this vulnerability was being actively exploited in attacks and added it to its ‘Known Exploited Vulnerabilities Catalog.’ In the May Android security bulletin, Google confirms that “CVE-2021-22600 may be under limited, targeted exploitation.”
It is not clear how the vulnerability is being used in attacks, but it is likely being used to execute privileged commands and spread laterally through Linux systems in corporate networks.
Recent Android versions (10, 11, 12) have incorporated increasingly stricter protections, making it hard for malware to acquire the permissions needed for advanced functions. As such, turning to exploit flaws post-infection to gain elevated privileges isn’t unlikely.
A second potential use for this vulnerability is for device rooting tools that users install and activate themselves to gain root privileges on the device.
Here’s a summary of what else has been fixed this month:
- Four escalation of privilege (EoP) and one information disclosure (ID) flaw in the Android Framework
- Three EoP, two ID, and two denial of service (DoS) flaws in the Android System
- Three EoP and one ID flaw in Kernel components
- Three high-severity vulnerabilities in MediaTek components
- 15 high-severity and one critical-severity flaw in Qualcomm components
Note that the fix for CVE-2021-22600 and all of those coming from third-party vendors are available on the 2022-05-05 security patch level, not on the first security patch level released on May 1, 2022.
Regardless, all these fixes are still incorporated on the first security patch level of the next month, which is to be released on June 1, 2022.
If you are using Android 9 or older, this security patch does not apply to your device, and you should upgrade to a more recent Android OS version for security reasons.
Those using Google Pixel devices received additional fixes this month, with one of them impacting only the most recent, Pixel 6 Pro range that uses the Titan-M chip.
The most interesting two are CVE-2022-20120, a critical remote execution vulnerability impacting the bootloader, and CVE-2022-20117, a critical information disclosure bug on Titan-M.