English

CVE-2021-1048 Critical Zero-Day exploit. Patches available from Google

Hi all,

This is an important one.

If the software team could maybe do a one-off emergency release with just this patch that would be a really good thing. I’m considering whether it’s safe to run my FF3 in the meantime.

https://source.android.com/security/bulletin/2021-11-01

7 Likes

I note you are working in cyber security and such will mean a lot to you, but what is the detail of your concern, or is that not to be spoken of in detail :slight_smile:

Apple and Google can do quick patches to their OSs but I’m don’t think Fairphone have the same basic resources and any update they make has to go back to Google to be sanctioned. Is that as easy thing to do.

So back the the issue, why do you think it may not be safe to run your FP3?

Are you using your FP3 in a specific was that this issue will impact you more than the common user? :slight_smile:

There is a kernel vulnerability in Android which could cause remote code execution - which means it is critical and should be patched as soon as possible. As mentioned in the link above, this issue is under limited, targeted exploitation.

No need for that. You don’t have to use the phone in a specific way to be in risk.

This zero day exploit is already present in many publications, just to name a few:
Security Week
Hacker News
Cybersecurity help
German authority for cybersecurity

But as mentioned by @rae in other threads, FP plans to release the new update “early November” for FP3. So I guess it will soon be out.

3 Likes

Yes I’m aware of that :slight_smile: Here’s hoping it will cover this issue but the questions were directed @Mark_Jaroski

Where does it mention remote code execution? The CVE sources I find state “CVE-2021-1048 is a use-after-free issue in the kernel that allows for local privilege escalation.”. Privilege escalation is bad, but requires local access, e.g. installing a rogue application, or having an exploitable application (e.g. a browser) obtain code (e.g. javascript) thatknows how to abuse this kernel vulnerability despite all the sandboxing. I’d like to see this issue fixed ASAP, but I suspect the impact on phone users is fairly small.

Mind you, even remote code execution bugs in the kernel are hard to abuse in practice. The kernel attack surface from a remote entity is often limited to bugs in network drivers or code. Incoming connections are blocked by your telecom operator or local wifi set-up, meaning they can really only be exploited on public wifi networks. Either that, or an outgoing connection from your phone has to be abused, but that requires you actively making a connection to an adversary (again, by installing a rogue app or the likes). Stay vigilant, and you’ll be fine.

3 Likes

You are right, I mixed up some things, sorry.

The remote code execution is not about CVE-2021-1048. It is about two other vulnerabilities that are included in the newest patch level (CVE-2021-0918 and CVE-2021-0930).

Source from here:
Also remediated in the security patch are two critical remote code execution (RCE) vulnerabilities — CVE-2021-0918 and CVE-2021-0930 — in the System component that could allow remote adversaries to execute malicious code within the context of a privileged process by sending a specially-crafted transmission to targeted devices.

3 Likes

These two are in the 2021-11-01 patch level for Android. There is currently an update for the FP2 with the beta testing team that goes to the November 5 patch level - but this does not yet include CVE-2021-1048 as far as I know.

For the FP3, I don’t have any insight in software development so I can’t tell whether that update is coming.

2 Likes

@ontheair Did a fine job of answering them while I was asleep. :slight_smile:

I think it might be worthwhile to have two different streams for patching. One for features and non-security issues, and another one for security.

Unless the patch actually bricks my phone I’d rather have critical security patches right away.

Meanwhile, Google released these patches to vendors a month ago. So at nearly the same time that I wrote a congratulatory note in this forum for the speed of the August security update, Fairphone already knew about this critical patch.

2 Likes

Have you contacted Fairphone with your concern and alternative to patching for security. I have this notion they will not have the resources.

Am I not contacting them here?

@rae , do we have a timeline for rolling out this critical security patch?

This is a community forum only and even if FP employees are reading sometimes, this is no official contact to the company #contactsupport

2 Likes

OK. Fair enough.

But we also need to raise awareness of this issue. These are very serious vulnerabilities which are being exploited in the wild, and for which there is a patch. Fairphone users like yourself need to understand that we need this patch today, and that it’s a problem that we don’t have it yet.

If I’m the only one to report this, it stands a lower chance of being prioritized.

2 Likes

Sure you can share here, however as I think already stated above, most people (including myself) don’t care, as most people don’t no any instance where one was hacked and don’t see a real danger

1 Like

image

Well, contacting support seems to have a little issue now.

1 Like

Things that happen…:wink:

You can email direct support@fairphone|dot|com.

I am at pains to add that like previously said not many people have a bad experience, well none that I know.

It will be interesting to know what Fairphone have to say :slight_smile:

1 Like

I’m not sure how to respond to this.

I think maybe you’ve identified the biggest problem we have in cybersecurity.

Did you know that some people use the same password everywhere, for example?

3 Likes

Real attackers go to great pains to be stealthy and to avoid giving you a “bad experience”, at least until they are ready to cash in.

2 Likes