CVE-2021-0599 in Android
Summary
by MITRE • 07/15/2021
In scheduleTimeoutLocked of NotificationRecord.java, there is a possible disclosure of a sensitive identifier via broadcasted intent due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175614289
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/18/2021
The vulnerability identified as CVE-2021-0599 resides within the Android notification system, specifically in the scheduleTimeoutLocked method of the NotificationRecord.java component. This flaw represents a confused deputy problem where a malicious actor can exploit the broadcast intent mechanism to access sensitive identifiers that should remain protected. The vulnerability affects multiple Android versions including Android 8.1, 9, 10, and 11, indicating a widespread impact across the Android ecosystem. The issue stems from improper handling of broadcast intents that contain sensitive information, creating an avenue for unauthorized disclosure of identifiers through the notification subsystem.
The technical implementation flaw occurs when the system schedules timeout notifications for notifications that have been locked or otherwise restricted. During this process, the NotificationRecord.java component broadcasts an intent that inadvertently exposes sensitive identifiers to other applications or system components that should not have access to such information. This confusion arises from the improper delegation of authority where the system fails to properly validate the recipients of broadcast intents containing sensitive data, allowing unauthorized access to identifiers that should remain within the confines of the notification system.
From an operational perspective, this vulnerability enables local information disclosure without requiring any additional execution privileges or user interaction for exploitation. The attack vector is particularly concerning because it operates entirely within the local context of the device, making it accessible to any application running on the same device. This means that malicious applications or compromised system components could potentially extract sensitive identifiers from notification records, which might include user-specific data, application identifiers, or other confidential information that could be leveraged for further attacks. The lack of user interaction requirements makes this vulnerability particularly dangerous as it can be exploited automatically without any user awareness or consent.
The vulnerability aligns with CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) classifications, as it involves both unauthorized information disclosure and inadequate access controls within the notification system. Additionally, this weakness maps to ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) and T1068 (Local Privilege Escalation) in scenarios where the exposed identifiers could be used to escalate privileges or execute further malicious activities. The Android security model's failure to properly isolate sensitive notification data during broadcast operations creates a significant risk for information leakage that could compromise user privacy and system integrity. Organizations should implement immediate mitigations including system updates, proper access control enforcement, and monitoring for unauthorized broadcast intent usage patterns. The vulnerability underscores the critical importance of proper privilege separation and secure intent handling in mobile operating systems, particularly within notification and messaging components that handle sensitive user data.