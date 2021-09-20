



The recently released September 2021 Android Security Bulletin addresses 40 vulnerabilities, seven of which are rated as critical vulnerabilities. This vulnerability affects open source components such as Android frameworks, Android media frameworks, and Android systems. The vulnerability also affects kernel components, MediaTek, Unisoc components, QUALCOMM components, and QUALCOMM closed source components.

Improper validation of QUALCOMM closed source component array index vulnerabilities

Google has released a patch that fixes improper validation of critical array index vulnerabilities (CVE-2021-1933). The CVSSv3.1 base score for this vulnerability is 9.8, and a successful exploitation of this vulnerability could allow a remote attacker to corrupt memory and execute arbitrary code on the target system. The system can be completely compromised. You need to prioritize patching. This affects the QUALCOMM closed source component.

QUALCOMM Closed Source Component Null Pointer Reverse Reference Vulnerability

Google has released a patch that fixes a critical vulnerability in null pointer diffs (CVE-2021-1946). The CVSSv3.1 base score for this vulnerability is 9.8, and a successful exploitation of this vulnerability could allow a remote attacker to send specially crafted data to the system and execute arbitrary code on the target system. And can completely compromise a vulnerable system. .. You need to prioritize patching. This affects the QUALCOMM closed source component.

Android framework denial of service vulnerability

Google has released a patch that fixes a critical denial of service vulnerability (CVE-2021-0687). The CVSSv3.1 base score for this vulnerability is 8.4, and a successful exploitation of this vulnerability would allow a remote attacker to perform a permanent denial of service on the target system, completely compromise the vulnerable system. May be done. You need to prioritize patching. Affects Android versions 8.1, 9, 10, and 11.

Information Disclosure Vulnerability in Multimedia Framework

Google has released patches that fix multiple disclosure vulnerabilities (CVE-2021-0689, CVE-2021-0690). The CVSS v3.1 base score for these vulnerabilities is 7.8, and successful exploitation of this vulnerability could allow a remote attacker against a local malicious application from another application that could lead to data breaches. You can bypass the protection of the operating system that isolates the data. You need to prioritize patching. Affects Android versions 8.1, 9, 10, and 11.

Google has fixed eight critical Elevation of Privilege (EoP) vulnerabilities in the framework and system. We also fixed eight critical information disclosure (ID) vulnerabilities in frameworks, media frameworks, kernel components, and systems.

The most serious of these issues is a critical security vulnerability in a framework component that could allow a remote attacker to use a specially crafted file to cause a permanent denial of service. Google explains. A successful exploiter could install a program, view, modify, delete data, or create a new account with full user privileges, depending on the privileges associated with the application.

Discover vulnerabilities and perform remote response actions using VMDR for mobile devices Discover assets missing the latest Android security patches and updates

The first step in managing these critical vulnerabilities and mitigating risk is to identify assets. Qualys VMDR for Mobile Devices makes it easy to identify assets that have not been patched with the latest security patches. Qualys Cloud Agent for Android or iOS must be installed on all mobile devices for comprehensive mobile device visibility. The device onboarding process is simple and mobile devices are free of stock.

Query: vulnerability.vulnerability.title: “September 2021”

Once you have a list of assets that do not have the latest security patches applied,[脆弱性]Go to the tab. vulnerabilities.vulnerability.title: Enter “September 2021” and apply Group By Vulnerabilities to get a list of CVEs that Google fixed in the September security patch. Qualys VMDR helps you understand what risks you are taking by allowing unpatched devices to retain corporate data and connect to your corporate network.

You can also apply Group By CVE Id to get only the list of CVEs fixed by Google in the September security update.

QID610363 and QID610366 are available in the signed version SEM VULNSIGS-1.0.0.45 and are independent of any particular Qualys Cloud Agent version.

You can use the VMDR for Mobile Devices dashboard to track the status of assets that are missing the latest security patches and updates. The dashboard is updated with the latest data collected by the Qualys Cloud Agent for Android and iOS devices.

Remote response action

You can perform a send message action to notify the end user to update the security patch to the latest patch. You can also provide step-by-step details for updating security patches.

At the time of this writing, September security patches have not been released by most manufacturers. So far, it has been released by Google for Pixel, Samsung, LG and Huawei. For such manufacturers, the vulnerabilities are marked as confirmed and potential for the rest. The QIDs specific to each manufacturer are 610362, 610366, 610365, and 610364. 610363 is the QID of the rest of the manufacturers. All available in signed version SEMVULNSIGS-1.0.0.45.

We recommend updating to the latest Android security patch for assets that have been detected as vulnerable. For the remaining manufacturers, you can take appropriate action based on the importance of the asset.

Get started now

Qualys VMDR for Mobile Devices is available free of charge for 30 days to help customers detect vulnerabilities, monitor critical device settings and correlate updates with the correct app version available on the Google Play store. You can try out our solutions by signing up for our 30-day free service.

