The Microsoft 365 Defender Research Team has shared details of several high-severity vulnerabilities found in a mobile framework used in popular apps associated with a number of big names.
The framework is owned by mce Systems, and is used in apps from numerous mobile providers. The apps — from the likes of AT&T, Rogers Communications and Bell Canada — are often pre-installed on Android handsets, but they have also been downloaded millions of times. If exploited, the vulnerabilities allow for local or remote attacks, including command injection and privilege escalation attacks.
Revealing details of its findings, the security research team says: “Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.”
In the course of its investigation, the team found the mce systems’ framework had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.
The responders explain:
The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.
According to mce Systems, some of these vulnerabilities also affected other apps on both Android and iOS devices. Moreover, the vulnerable framework and affiliated apps were found on devices from large international mobile service providers. mce Systems, which offers “Mobile Device Lifecycle and Automation Technologies,” also permitted providers to customize and brand their respective mobile apps and frameworks. Pre-installed frameworks and mobile apps such as MCE Systems’ are beneficial to users and providers in areas like simplifying the device activation process, troubleshooting device issues, and optimizing performance. However, their extensive control over the device to deliver these kinds of services could also make them an attractive target for attackers.
The vulnerabilities, tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, have incision ratings of between 7.0 and 8.9.
Microsoft points out that it has been working with mce Systems, and the vulnerabilities have now been fixed. As such, it is important to ensure that the very latest versions are installed in order to avoid security issues.
More information is available in Microsoft’s blog post.
Image credit: Walter Cicchetti / Shutterstock