Google patched a critical encryption bug found on its Pixel, Pixel 2 and Nexus phones this week along with delivering 49 other fixes, part of its December Pixel / Nexus Security Bulletin.
Five of the patches relate to vulnerabilities rated high. One of the patches (CVE-2017-13167) is for an elevation of privilege vulnerability and four others could open the door for a denial of service attack, according to Google.
The only critical patch (CVE-2017-14907) is tied to a bug in “Qualcomm closed-source components” that weakens the cryptographic strength of handsets while it derives a disk encryption key, Google stated.
A Common Vulnerabilities and Exposures (CVE-2017-14907) description of the encryption bug states: “In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, cryptographic strength is reduced while deriving disk encryption key.”
Android CAF (Custom Android Firmware) releases are custom branches of the Linux kernel developed to support Qualcomm chipsets. Qualcomm MSM chips are processors made for older model high-end phones. And Android for MSM, Firefox OS for MSM and QRD (Qualcomm Reference Design) Android each are Android projects that extend support for the Qualcomm MSM chips.
According to those familiar with the encryption bug, the vulnerability was discovered, patched and an update was released to customers and partners in May by Qualcomm. Qualcomm declined to comment on the vulnerability.
The Pixel/Nexus Security Bulletin coincided with the release of Google’s Android Security Bulletin. A total of 47 vulnerabilities and patches were listed in that report, with 10 rated critical in severity.
“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to the bulletin.
Google lists critical Media framework vulnerabilities (CVE-2017-0872, CVE-2017-0876, CVE-2017-0877, CVE-2017-0878 and CVE-2017-13151) that each create conditions favorable to a remote code execution attack on Android handsets. Media framework codecs impacted are libmpeg2, libhevc, libavc and libskia.
Google’s Android bulletin also warns of four critical Qualcomm component vulnerabilities, three of which are also tied to remote code execution conditions. Other vendors mentioned in the Android bulletin are Broadcom, Kernel, MediaTek and NVIDIA.
Patches are delivered over the air by handset manufactures and Google urges customers to accept and apply patches to their devices.