CVE-2024-20069 — Algorithm Downgrade in Google Android

CWE-757 — Algorithm Downgrade4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

1.0%

top 22.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android

Timeline

PublishedJun 3

Latest updateAug 6

Description

In modem, there is a possible selection of less-secure algorithm during the VoWiFi IKE due to a missing DH downgrade check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01286330; Issue ID: MSV-1430.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶googlegoogle/android

🔴Vulnerability Details

GHSA

GHSA-c4q9-2wfm-wj48: In modem, there is a possible selection of less-secure algorithm during the VoWiFi IKE due to a missing DH downgrade check↗2024-06-03

▶

📋Vendor Advisories

Android

CVE-2024-20069: Modem↗2024-06-01

▶

📄Research Papers

arXiv

Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments↗2024-08-06

▶