CVE-2023-20963
published 2023-03-24CVE-2023-20963: In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User…
PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-05-04
Exploited in the wild
EPSS
1.44%
70.0th percentile
In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | frameworks_base | >= 11:0 < 11:2023-03-01 | 11:2023-03-01 |
| platform | frameworks_base | >= 12:0 < 12:2023-03-01 | 12:2023-03-01 |
| platform | frameworks_base | >= 12L:0 < 12L:2023-03-01 | 12L:2023-03-01 |
| platform | frameworks_base | >= 13-next:0 < 13-next:2023-03-01 | 13-next:2023-03-01 |
| platform | frameworks_base | >= 13:0 < 13:2023-03-01 | 13:2023-03-01 |
Detection & IOCsextracted from sources · hover to see the quote
- →Post-exploitation behavior includes downloading and executing additional code from a developer-designated remote site within a privileged environment; monitor for privileged processes spawning network connections to fetch and execute remote payloads. ↗
- →CVE-2023-20963 affects Android Framework (WorkSource parcel mismatch / EoP) on AOSP versions 11, 12, 12L, and 13; verify patch level against the 2023-03-01 Android Security Bulletin. ↗
- ·The vulnerability requires no additional execution privileges and no user interaction, but exploitation context observed was app-based (requires the malicious app to be installed on the device). ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xm9f-fph8-8369: In WorkSource, there is a possible parcel mismatch
ghsa_unreviewed·2023-03-24
CVE-2023-20963 [HIGH] CWE-295 GHSA-xm9f-fph8-8369: In WorkSource, there is a possible parcel mismatch
In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519
OSV
CVE-2023-20963: In WorkSource, there is a possible parcel mismatch
osv·2023-03-01
CVE-2023-20963 CVE-2023-20963: In WorkSource, there is a possible parcel mismatch
In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
VulnCheck
Android Framework Privilege Escalation Vulnerability
vulncheck·2023·CVSS 7.8
CVE-2023-20963 [HIGH] CWE-295 Android Framework Privilege Escalation Vulnerability
Android Framework Privilege Escalation Vulnerability
Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed.
Affected: Android Framework
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://arstechnica.com/information-technology/2023/03/android-app-from-china-executed-0-day-exploit-on-millions-of-devices/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://ti.qianxin.com/uploads/2024/02/02/dcc93e586f9028c68e7ab34c3326ff31.pdf
Exploit PoC: https://vulncheck.com/xdb/ab7e394561a2; https://vulnch
Project0
Project Zero RCA: CVE-2023-20963: Android: mismatching parcel/unparcel logic for WorkSource
project_zero·CVSS 7.8
CVE-2023-20963 [HIGH] Project Zero RCA: CVE-2023-20963: Android: mismatching parcel/unparcel logic for WorkSource
# CVE-2023-20963: Android: mismatching parcel/unparcel logic for WorkSource
*Jann Horn*
## The Basics
**Disclosure or Patch Date:** March 1, 2023
**Product:** Android
**Advisory:** https://source.android.com/docs/security/bulletin/2023-03-01#framework
**Affected Versions:**
**First Patched Version:** Security Patch Level 2023-03-01
**Issue/Bug Report:**
**Patch CL:** https://android.googlesource.com/platform/frameworks/base/+/266b3bddcf14d448c0972db64b42950f76c759e3%5E%21/
**Bug-Introducing CL:**
**Reporter(s):**
- Android credits Sergey Toshin (@\_bagipro) of Oversecured Inc.
- public analysis is done in writeups:
- [by davinci1012/davincifans101](https://github.com/davincifans101/pinduoduo_backdoor_detailed_report/blob/main/report_en.pdf) (in english, chinese version also avail
CISA
Android Framework Privilege Escalation Vulnerability
cisa·2023-04-13·CVSS 7.8
CVE-2023-20963 [HIGH] CWE-295 Android Framework Privilege Escalation Vulnerability
Vulnerability: Android Framework Privilege Escalation Vulnerability
Affected: Android Framework
Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed.
Required Action: Apply updates per vendor instructions.
Notes: https://source.android.com/docs/security/bulletin/2023-03-01; https://nvd.nist.gov/vuln/detail/CVE-2023-20963
Remediation Due Date: 2023-05-04
Android
CVE-2023-20963: Android Security Bulletin 2023-03-01
CVE: CVE-2023-20963
Severity: HIGH
Type: EoP
Affected AOSP versions: 11, 12, 12L, 13
References: A-220302519
vendor_android·2023-03-01·CVSS 7.8
CVE-2023-20963 [HIGH] CVE-2023-20963: Android Security Bulletin 2023-03-01
CVE: CVE-2023-20963
Severity: HIGH
Type: EoP
Affected AOSP versions: 11, 12, 12L, 13
References: A-220302519
Android Security Bulletin 2023-03-01
CVE: CVE-2023-20963
Severity: HIGH
Type: EoP
Affected AOSP versions: 11, 12, 12L, 13
References: A-220302519
No detection rules found.
No public exploits indexed.
Krebs
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
blogs_krebs·2023-03-22
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.
In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.
Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborati
Krebs
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
blogs_krebs·2023-03-22
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.
In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.
Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborati
2023-03-24
Published
2023-04-13
Added to CISA KEV
Exploited in the wild