CVE-2022-20145
Published: 15 June 2022
Summary
CVE-2022-20145 is a critical-severity an unspecified weakness vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
In startLegacyVpnPrivileged of Vpn.java, a protocol downgrade flaw allows retrieval of VPN credentials on Android 11 devices. The issue is tracked as A-201660636 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible impact without required privileges or user interaction.
An attacker positioned as a malicious Wi-Fi access point can trigger the downgrade remotely, obtain the stored VPN credentials, and thereby achieve privilege escalation on the device. No additional execution rights are needed beyond the ability to serve the crafted wireless network.
The Android security bulletin published on 2022-06-01 addresses the vulnerability and supplies the corresponding patches for affected builds. The associated EPSS score remains low, with a current value of 0.0637 and a peak of 0.0725.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-25405
Vulnerability details
In startLegacyVpnPrivileged of Vpn.java, there is a possible way to retrieve VPN credentials due to a protocol downgrade attack. This could lead to remote escalation of privilege if a malicious Wi-Fi AP is used, with no additional execution privileges needed.…
more
User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-201660636
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.