CVE-2021-0979 in Androidinfo

Summary

by MITRE • 12/15/2021

In isRequestPinItemSupported of ShortcutService.java, there is a possible cross-user leak of packages in which the default launcher supports requests to create pinned shortcuts due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-191772737

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 12/18/2021

The vulnerability identified as CVE-2021-0979 resides within the Android operating system's ShortcutService.java component, specifically in the isRequestPinItemSupported method. This flaw represents a critical cross-user privilege escalation issue that allows unauthorized access to package information across different user profiles on the same device. The vulnerability stems from insufficient permission checks that should normally prevent one user from accessing another user's application packages when requesting pinned shortcuts through the default launcher.

The technical implementation of this vulnerability exploits a permissions bypass mechanism within the Android shortcut pinning system. When a user attempts to create a pinned shortcut, the system should verify that the requesting user has appropriate permissions to access the target application package. However, the flaw in ShortcutService.java allows a malicious user to bypass these security checks and potentially access package information belonging to other users on the same device. This cross-user information disclosure occurs without requiring any additional execution privileges or user interaction, making it particularly concerning from a security perspective.

From an operational standpoint, this vulnerability enables local information disclosure attacks that can reveal sensitive package metadata, application configurations, and potentially other user-specific data that should remain isolated between different user profiles. The impact extends beyond simple information disclosure as it undermines the fundamental security boundary that separates user sessions on Android devices. Attackers could potentially gather intelligence about installed applications, their versions, and other metadata that could be leveraged in subsequent attacks. This vulnerability affects Android 12 systems and represents a failure in the Android security model's user isolation mechanisms.

The vulnerability aligns with CWE-284, which addresses improper access control, and demonstrates how insufficient permission checking can lead to unauthorized data access. From an ATT&CK perspective, this issue maps to T1068, which covers the use of exploits for privilege escalation, and T1083, which involves file and directory discovery. The lack of user interaction requirements makes this vulnerability particularly dangerous as it can be exploited automatically without requiring any form of social engineering or user deception. The security implications extend to potential escalation pathways where attackers might use this information to identify other vulnerabilities or plan more sophisticated attacks against the target device or its users. Organizations should implement immediate mitigations including system updates, proper user session isolation verification, and monitoring for unauthorized access patterns to prevent exploitation of this cross-user information disclosure vulnerability.

The vulnerability represents a significant weakness in Android's multi-user security model and highlights the importance of proper permission validation in system-level components. The fact that this issue affects the default launcher functionality means that it could be exploited through normal device usage patterns, making detection and prevention particularly challenging for end users. Security practitioners should prioritize patching this vulnerability and consider implementing additional monitoring controls to detect unauthorized access attempts to user-specific package information.

Reservation

11/06/2020

Disclosure

12/15/2021

Moderation

accepted

CPE

ready

EPSS

0.00105

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!