Logging of potentially sensitive information via NativeDaemonConnector (CVE-2013-2599)

Release Date:

July 3, 2013

Affected Projects:

Android for MSMQRD Android

Advisory ID:

QCIR-2013-00003-1

CVE ID(s):

CVE-2013-2599

Summary:

The following security vulnerability has been identified in the NativeDaemonConnector class. CVE-2013-2599: Due to the state of a boolean variable within the NativeDaemonConnector class, messages passed to its log method will be logged in the system log. In some cases this can result in unwanted logging of potentially sensitive information such as the disk encryption password when MountService is instantiating NativeDaemonConnector to pass and log communication to vold. The messages from the system log can be accessed by an adversary, e.g., through the logcat functionality.

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel from the following heads: msm-3.*, jb*

Patch:

We advise customers to apply the following patch:
https://www.codeaurora.org/gitweb/quic/la/?p=platform/frameworks/base.git;a=commit;h=9e46bf8fcadfc4d31ead9a07a71b4ca6dc87509a

Acknowledgement:

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com