CVE-2021-0994 in Android
Summary
by MITRE • 12/15/2021
In requestRouteToHostAddress of ConnectivityService.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-193801134
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/18/2021
The vulnerability identified as CVE-2021-0994 resides within the ConnectivityService.java component of Android 12 systems, specifically within the requestRouteToHostAddress method. This flaw represents a significant privacy and security concern as it enables unauthorized applications to determine the presence of other applications on the device without requiring explicit permission queries. The vulnerability stems from an insufficient permission check mechanism that fails to validate whether the requesting application has appropriate authorization to access such information about other installed packages.
The technical implementation of this vulnerability exploits a design oversight in the Android connectivity service where the requestRouteToHostAddress method does not properly validate the calling application's permissions before potentially exposing information about installed applications. This missing permission check creates an information disclosure channel that adversaries can leverage to enumerate applications installed on the target device. The flaw operates at the system level within the connectivity service framework, making it particularly concerning as it bypasses normal permission boundaries that typically protect application enumeration data.
From an operational perspective, this vulnerability enables local information disclosure attacks that require no additional execution privileges beyond what is normally granted to applications. The attack vector is particularly dangerous because it does not require user interaction or elevated privileges, making it accessible to any application that can trigger the connectivity service method. This creates a scenario where malicious applications could systematically determine what other applications are installed on a device, potentially enabling more sophisticated attacks such as targeted malware delivery or social engineering campaigns based on discovered application profiles. The vulnerability aligns with CWE-284 which addresses improper access control mechanisms, and could be categorized under ATT&CK technique T1069.1 for permission groups and T1592 for reconnaissance through information discovery.
The implications of this vulnerability extend beyond simple application enumeration as it provides attackers with valuable intelligence about the target device's application landscape. This information could be used to craft more effective phishing attacks, identify potential security gaps in installed applications, or determine which applications might be vulnerable to other exploits. The lack of required user interaction makes this particularly concerning for mobile environments where applications typically operate with limited oversight. Security researchers have noted that such information disclosure vulnerabilities often serve as precursors to more serious attacks, as they provide adversaries with crucial reconnaissance data needed for subsequent exploitation phases. The vulnerability demonstrates a fundamental flaw in Android's permission model where system-level services fail to properly enforce access controls for information that could reveal sensitive device state information. Organizations should consider this vulnerability as part of their broader mobile security posture assessment and implement appropriate monitoring and mitigation strategies to prevent unauthorized application enumeration.