CVE-2024-49744
Published: 21 January 2025
Summary
CVE-2024-49744 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates CVE-2024-49744 by applying patches to fix the unsafe deserialization in AccountManagerService, preventing local privilege escalation.
Information input validation ensures proper checking and sanitization of parcel data in intents, blocking the bypass of parcel mismatch mitigation via malicious deserialization.
Access enforcement strengthens the checkKeyIntentParceledCorrectly function to properly mediate access decisions, reducing the risk of privilege escalation from flawed enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local privilege escalation via unsafe deserialization and crafted intent directly matches Exploitation for Privilege Escalation.
NVD Description
In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to bypass parcel mismatch mitigation due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Deeper analysisAI
CVE-2024-49744 is a vulnerability in the checkKeyIntentParceledCorrectly function of AccountManagerService.java within the Android framework. It stems from unsafe deserialization that allows bypassing parcel mismatch mitigation, potentially enabling local escalation of privilege without requiring additional execution privileges. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-276 (Incorrect Default Permissions).
A local attacker with low privileges (PR:L) can exploit this vulnerability through a crafted intent, leading to escalation of privileges on the device. Exploitation requires user interaction, as noted in the description, and has low attack complexity with local access. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, allowing the attacker to gain elevated access.
The Android Security Bulletin for January 2025 at https://source.android.com/security/bulletin/2025-01-01 provides details on affected versions and patches to mitigate this issue. Security practitioners should apply the recommended updates promptly to Android devices.
Details
- CWE(s)