9VSA23-00841-01 CSIRT comparte vulnerabilidades parchadas para Android (patch level 2023-06-05)

Resumen

El CSIRT de Gobierno comparte información de nuevas vulnerabilidades parchadas por Google para su sistema operativo Android, en su actualización de seguridad correspondiente a junio 2023.

Vulnerabilidades

CVE-2021-0701

CVE-2021-0945

CVE-2022-22060

CVE-2022-22706

CVE-2022-28349

CVE-2022-33251

CVE-2022-33257

CVE-2022-33264

CVE-2022-33292

CVE-2022-40516

CVE-2022-40517

CVE-2022-40520

CVE-2022-40521

CVE-2022-40523

CVE-2022-40529

CVE-2022-40533

CVE-2022-40536

CVE-2022-40538

CVE-2022-46781

CVE-2022-48390

CVE-2022-48391

CVE-2022-48392

CVE-2022-48438

CVE-2023-21095

CVE-2023-21101

CVE-2023-21105

CVE-2023-21108

CVE-2023-21115

CVE-2023-21120

CVE-2023-21121

CVE-2023-21122

CVE-2023-21123

CVE-2023-21124

CVE-2023-21126

CVE-2023-21127

CVE-2023-21128

CVE-2023-21129

CVE-2023-21130

CVE-2023-21131

CVE-2023-21135

CVE-2023-21136

CVE-2023-21137

CVE-2023-21138

CVE-2023-21139

CVE-2023-21141

CVE-2023-21142

CVE-2023-21143

CVE-2023-21144

CVE-2023-21628

CVE-2023-21656

CVE-2023-21657

CVE-2023-21658

CVE-2023-21659

CVE-2023-21661

CVE-2023-21669

CVE-2023-21670

Impacto

Vulnerabilidades de riesgo crítico

CVE-2023-21127: Vulnerabilidad en Android Framework, que podría dar lugar a la ejecución remota de código sin necesidad de privilegios de ejecución adicionales. La interacción del usuario es necesaria para la explotación.

CVE-2023-21108: Vulnerabilidad en Android System, que podría dar lugar a la ejecución remota de código a través de Bluetooth, si la compatibilidad con HFP está habilitada, sin necesidad de privilegios de ejecución adicionales. La interacción del usuario no es necesaria para la explotación.

CVE-2023-21130: Vulnerabilidad en Android System, que podría dar lugar a la ejecución remota de código a través de Bluetooth, si la compatibilidad con HFP está habilitada, sin necesidad de privilegios de ejecución adicionales. La interacción del usuario no es necesaria para la explotación.

CVE-2022-33257: Vulnerabilidad que afecta a los componentes de código cerrado de Qualcomm.

CVE-2022-40529: Vulnerabilidad que afecta a los componentes de código cerrado de Qualcomm.

Mitigación

Instalar las respectivas actualizaciones entregadas por el proveedor.

Productos afectados

Android 11, 12 y 13.

Enlaces

https://source.android.com/docs/security/bulletin/2023-06-01?hl=es-419

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0701

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0945

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22706

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28349

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33251

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33257

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33264

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33292

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40516

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40517

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40520

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40521

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40523

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40529

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40533

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40536

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40538

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46781

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48390

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48391

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48392

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48438

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21095

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21101

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21105

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21108

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21115

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21120

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21121

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21122

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21123

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21124

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21126

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21127

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21128

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21129

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21130

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21131

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21135

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21136

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21137

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21138

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21139

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21141

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21142

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21143

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21144

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21628

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21656

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21657

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21658

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21659

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21661

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21669

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21670

Informe

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA23-00841-01.