CVE-2021-0704 in Androidinfo

Summary

by MITRE • 12/15/2021

In createNoCredentialsPermissionNotification and related functions of AccountManagerService.java, there is a possible way to retrieve accounts from the device without permissions due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-179338675

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/18/2021

The vulnerability identified as CVE-2021-0704 represents a critical permissions bypass flaw within Android's AccountManagerService component that affects Android 9, 10, and 11 versions. This issue resides in the createNoCredentialsPermissionNotification function and related methods within AccountManagerService.java, where the system fails to properly validate credential permissions during account notification creation processes. The flaw allows malicious applications or attackers to retrieve account information from devices without possessing the necessary permissions typically required for such operations, fundamentally undermining the Android security model's permission enforcement mechanisms.

The technical implementation of this vulnerability stems from insufficient access control validation within the account management service. When the system creates notifications for account credentials, it fails to properly verify whether the requesting component has legitimate authorization to access the associated account information. This creates a scenario where unauthorized entities can exploit the permission bypass to enumerate accounts stored on the device, potentially gaining access to sensitive authentication data including usernames, account types, and associated credential information. The vulnerability operates at the system level within the AccountManagerService, making it particularly dangerous as it can be exploited without requiring any user interaction or additional privileges beyond what might be normally available to standard applications.

The operational impact of CVE-2021-0704 extends beyond simple information disclosure, creating potential pathways for more severe attacks within the Android ecosystem. An attacker exploiting this vulnerability could gather comprehensive account information across multiple services that utilize the Android account management framework, potentially enabling credential harvesting attacks, account takeover attempts, or further exploitation of other system components that rely on account data. The lack of user interaction requirements makes this vulnerability particularly concerning for mobile environments where applications may run continuously in the background. This issue directly violates the principle of least privilege and can be classified under CWE-284, which addresses improper access control vulnerabilities in software systems. The vulnerability also aligns with ATT&CK technique T1552.001, which covers "Credentials In Files" and represents a method by which adversaries can obtain sensitive information through improper access control mechanisms.

Mitigation strategies for this vulnerability require immediate patching of affected Android versions through official security updates from device manufacturers. Organizations should implement comprehensive monitoring for suspicious account enumeration activities and ensure that all devices are kept up to date with the latest security patches. The vulnerability highlights the importance of proper permission validation in system-level services and underscores the need for robust security testing of account management components. Security teams should conduct thorough assessments of applications that might be exploiting similar permission bypass patterns and consider implementing additional monitoring controls for account-related system calls. Device manufacturers and developers should also review their implementation of account management APIs to ensure proper validation of credential access requests and prevent similar issues from occurring in future releases.

Reservation

11/06/2020

Disclosure

12/15/2021

Moderation

accepted

CPE

ready

EPSS

0.00128

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!