CVE-2024-43769
Published: 03 January 2025
Summary
CVE-2024-43769 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-43769 is a logic error in the isPackageDeviceAdmin function of PackageManagerService.java within the Android Open Source Project's frameworks/base component. This vulnerability introduces an edge case that prevents the uninstallation of the CloudDpc package, enabling local escalation of privilege. No additional execution privileges or user interaction are required for exploitation, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and association to CWE-276 (Incorrect Default Permissions).
A local attacker with low privileges can exploit this issue by triggering the specific edge case in the package administration logic. Successful exploitation prevents the removal of CloudDpc, allowing the attacker to achieve privilege escalation with high impacts on confidentiality, integrity, and availability.
The Android Security Bulletin for December 2024 documents this vulnerability, recommending updates to affected devices. A fix is available in the Android source code via commit 619ffc299bf33566ba6daee8301ee0fc96e015f4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40413
Vulnerability details
In isPackageDeviceAdmin of PackageManagerService.java, there is a possible edge case which could prevent the uninstallation of CloudDpc due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User…
more
interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic flaw in package admin check directly enables local privilege escalation via exploitation of the vulnerability (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the logic error by requiring identification, reporting, and correction of the flaw in PackageManagerService via timely application of the vendor patch.
Enforces approved authorizations in package management to correctly handle device admin checks and prevent improper retention of privileged packages like CloudDpc.
Implements a tamper-proof reference monitor that precisely enforces access control policies, addressing failures in the PackageManagerService logic for uninstallation decisions.