The flaw, which is in the Linux Kernel used by Android, is being tracked as CVE-2021-22600 and is a double-free vulnerability. A double-free vulnerability is when a program or process calls free() twice with the same argument. The program’s memory management structures can become corrupt crashing the program and potentially leading to arbitrary code execution. In the case of the kernel flaw that Google is patching, the double-free bug resides in the packet network protocol implementation.
Each flavor of Linux will have it own patch and for the major distros the patches were released in January this year (2022). The vulnerability has been identified by Google and CISA as actively exploited although Google says the exploitation seems to be targeted and limited in scope. Although the release of a patch by Google is good news it will still take some time for the fixes to roll out to the major brands of phones and then to the carriers. This lag from detection to patch is one more item that shows just how vulnerable mobile devices are.
We have talked about mobile as a threat vector for some time and are. The fact that phones represent such a large part of the corporate BYOD footprint, and they are still not only vulnerable, but also extremely slow to patch. This flaw was identified in 2021 and while desktop versions of Linux have been patched in January 2022, Google did not release their patch until this month while patches for the major phone brands and carriers are yet to hit the streets. This has left a 5+ month window for attackers to leverage this in their plans.
There is a lot of work to be done on the mobile device side for the vast majority of business organizations and even in the consumer world. There is some effort to secure these devices, but the attackers are more than one step ahead here. Companies that are allowing mobile devices to access corporate data also need to step up their monitoring and security tools to prevent compromise of these devices which would allow a complete account and device takeover.