Logging of potentially sensitive information via NativeDaemonConnector (CVE-2013-2599)

Release Date: 
July 3, 2013
Affected Projects: 
Advisory ID: 
QCIR-2013-00003-1
Summary: 

The following security vulnerability has been identified in the NativeDaemonConnector class.

CVE-2013-2599:
Due to the state of a boolean variable within the NativeDaemonConnector class, messages passed to its log method will be logged in the system log. In some cases this can result in unwanted logging of potentially sensitive information such as the disk encryption password when MountService is instantiating NativeDaemonConnector to pass and log communication to vold. The messages from the system log can be accessed by an adversary, e.g., through the logcat functionality.

AccessVector: local
Security Risk: high
Vulnerability: CWE-534 (information exposure through debug log files)

Affected versions:
All Android releases from CAF using the Linux kernel from the following heads:

  • msm-3.*
  • jb*
Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com