CVE-2024-34730
Published: 21 January 2025
Summary
CVE-2024-34730 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-34730 is a logic error vulnerability present in multiple locations within Android's Bluetooth stack, enabling a bypass of user consent when pairing new Bluetooth Human Interface Devices (HIDs). This flaw, tagged under CWE-276 (Incorrect Default Permissions), affects the system's permission handling for Bluetooth device authorization. It was published on 2025-01-21 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Exploitation leads to escalation of privilege, granting high-impact access to confidentiality, integrity, and availability without needing additional execution privileges.
The Android Security Bulletin for January 2025, available at https://source.android.com/security/bulletin/2025-01-01, details affected versions and provides patches for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-35168
Vulnerability details
In multiple locations, there is a possible bypass of user consent to enabling new Bluetooth HIDs due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…
more
is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local logic flaw in permission handling directly enables privilege escalation from low-priv local context without user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires authorization prior to allowing wireless access connections, directly mitigating the bypass of user consent for new Bluetooth HIDs.
Mandates identification and authentication of devices before establishing connections, preventing unauthorized Bluetooth HID pairing and subsequent privilege escalation.
Enforces approved authorizations for logical access to resources, addressing the logic error in Bluetooth permission handling that enables local privilege escalation.