CVE-2011-1823
published 2011-06-09CVE-2011-1823: The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to…
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
41.63%
98.5th percentile
The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | >= 2.0 < 2.3.4 | 2.3.4 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://android.googlesource.com/platform/system/vold/+/c51920c82463b240e2be0430849837d6fdc5352e↗
- →Monitor for processes opening or reading from PF_NETLINK sockets on Android devices, particularly those interacting with the vold (volume manager daemon) process, which may indicate exploitation attempts. ↗
- →Look for exploitation of DirectVolume::handlePartitionAdded via a negative index value sent over PF_NETLINK, which bypasses a maximum-only signed integer check and triggers memory corruption leading to privilege escalation. ↗
- →Detect presence of GingerBreak exploit tool or Exploit.AndroidOS.Lotoor malware family on Android devices as indicators of CVE-2011-1823 exploitation activity. ↗
- ·Vulnerability affects Android 3.0 and 2.x before 2.3.4 only; devices running Android 2.3.4 or later with the referenced vold patch applied are not affected. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Android OS Privilege Escalation Vulnerability
cisa·2022-09-08·CVSS 7.8
CVE-2011-1823 [HIGH] CWE-189 Android OS Privilege Escalation Vulnerability
Vulnerability: Android OS Privilege Escalation Vulnerability
Affected: Android Android OS
The vold volume manager daemon in Android kernel trusts messages from a PF_NETLINK socket, which allows an attacker to execute code and gain root privileges. This vulnerability is associated with GingerBreak and Exploit.AndroidOS.Lotoor.
Required Action: Apply updates per vendor instructions.
Notes: https://android.googlesource.com/platform/system/vold/+/c51920c82463b240e2be0430849837d6fdc5352e; https://nvd.nist.gov/vuln/detail/CVE-2011-1823
Remediation Due Date: 2022-09-29
GHSA
GHSA-3hj2-5cwp-2349: The vold volume manager daemon on Android 3
ghsa_unreviewed·2022-05-17
CVE-2011-1823 [HIGH] CWE-190 GHSA-3hj2-5cwp-2349: The vold volume manager daemon on Android 3
The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.
VulnCheck
Android OS Privilege Escalation Vulnerability
vulncheck·2011·CVSS 7.8
CVE-2011-1823 [HIGH] CWE-189 Android OS Privilege Escalation Vulnerability
Android OS Privilege Escalation Vulnerability
The vold volume manager daemon in Android kernel trusts messages from a PF_NETLINK socket, which allows an attacker to execute code and gain root privileges. This vulnerability is associated with GingerBreak and Exploit.AndroidOS.Lotoor.
Affected: Android Android
Required Action: Apply updates per vendor instructions.
Exploitation References: https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-09-29
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://android.git.kernel.org/?p=platform/system/core.git%3Ba=commit%3Bh=b620a0b1c7ae486e979826200e8e441605b0a5d6http://android.git.kernel.org/?p=platform/system/netd.git%3Ba=commit%3Bh=79b579c92afc08ab12c0a5788d61f2dd2934836fhttp://android.git.kernel.org/?p=platform/system/vold.git%3Ba=commit%3Bh=c51920c82463b240e2be0430849837d6fdc5352ehttp://androidcommunity.com/gingerbreak-root-for-gingerbread-app-20110421/http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.htmlhttp://forum.xda-developers.com/showthread.php?t=1044765http://www.androidpolice.com/2011/05/03/google-patches-gingerbreak-exploit-but-dont-worry-we-still-have-root-for-now/http://xorl.wordpress.com/2011/04/28/android-vold-mpartminors-signedness-issue/https://exchange.xforce.ibmcloud.com/vulnerabilities/67977http://android.git.kernel.org/?p=platform/system/core.git%3Ba=commit%3Bh=b620a0b1c7ae486e979826200e8e441605b0a5d6http://android.git.kernel.org/?p=platform/system/netd.git%3Ba=commit%3Bh=79b579c92afc08ab12c0a5788d61f2dd2934836fhttp://android.git.kernel.org/?p=platform/system/vold.git%3Ba=commit%3Bh=c51920c82463b240e2be0430849837d6fdc5352ehttp://androidcommunity.com/gingerbreak-root-for-gingerbread-app-20110421/http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.htmlhttp://forum.xda-developers.com/showthread.php?t=1044765http://www.androidpolice.com/2011/05/03/google-patches-gingerbreak-exploit-but-dont-worry-we-still-have-root-for-now/http://xorl.wordpress.com/2011/04/28/android-vold-mpartminors-signedness-issue/https://exchange.xforce.ibmcloud.com/vulnerabilities/67977https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-1823
2011-06-09
Published
2022-09-08
Added to CISA KEV
Exploited in the wild