Possible Bypass of File Path Filter Leads to Local Escalation of Privilege
CVE-2024-43093

7.8HIGH

Key Information:

Vendor
Google
Status
Android
Vendor
CVE Published:
13 November 2024

Badges

🔥 Trending now📈 Trended📈 Score: 3,180💰 Ransomware👾 Exploit Exists🦅 CISA Reported📰 News Worthy

What is CVE-2024-43093?

CVE-2024-43093 is a vulnerability associated with an External Storage Provider, which is integral for managing data storage in various applications. This particular flaw arises from a bypass of a file path filter, specifically within the shouldHideDocument function of ExternalStorageProvider.java. The vulnerability stems from an incorrect implementation of unicode normalization, which may allow unauthorized access to sensitive directories. Such a lapse in security poses significant risks to organizations, as it could facilitate local privilege escalation, enabling an attacker to gain higher access levels without needing additional execution privileges.

Technical Details

The core issue with CVE-2024-43093 lies in the improper handling of file path filters in the External Storage Provider. The bypass enables malicious actors to exploit the unicode normalization failure to access restricted directories. Although user interaction is necessary for the exploitation to occur, the nature of the vulnerability could be manipulated by an attacker to gain unauthorized control over the system’s resources.

Potential impact of CVE-2024-43093

  1. Local Escalation of Privileges: Successful exploitation allows attackers to escalate their privileges locally, which can lead to unauthorized access to sensitive files and operations within the affected system.

  2. Data Exposure: The ability to bypass file path filters may result in unauthorized access to confidential data, increasing the risk of data breaches and compromising sensitive information.

  3. Increased Attack Surface: Organizations may face heightened risk as this vulnerability could be leveraged alongside other exploits or configurations, potentially leading to broader system compromises and more extensive security ramifications.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Android 15

Android 14

Android 13

News Articles

favicon imageMalwarebytes

Android zero-day vulnerabilities actively abused. Update as soon as you can

Android's March 2025 security update includes two zero-days which are under active exploitation in targeted attacks.

4 days ago

favicon imageForbes

Google Confirms 2 New Android Zero Day Exploits—Update Now

Update your Android device now as Google confirms two zero day vulnerabilities already exploited by attackers.

5 days ago

favicon imageThe Hacker News

Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities

Google’s March 2025 Android Security Bulletin fixes 44 vulnerabilities, including two actively exploited flaws.

6 days ago

References

https://android.googlesource.com/platform/frameworks/base...
https://source.android.com/security/bulletin/2024-11-01

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 💰

    Used in Ransomware

  • 📈

    Vulnerability started trending

  • Vulnerability published

  • 🦅

    CISA Reported

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by SecurityWeek

.