CVE-2022-39869 CloudNotificationManager allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.

The vulnerability is caused due to improper access control in cloudNotificationManager.java. An attacker can send a message to a smart device via the REMOVE_PERSISTENT_BANNER broadcast and then access the cloud database via the cloud API. The attacker can bypass the access control and read the data of the cloud database. An attacker can also delete the cloud database to cause denial-of-service to the smart device. Due to the cloud access control weakness, an attacker can also update the cloud database to change the access control rules and achieve remote code execution. CVE-2018-5060 In the cloud API, there is a solution for SENDING_PUSH_NOTIFICATION() for sending push notification. The attacker can send the message via the REMOVE_PERSISTENT_BANNER broadcast. It will be stored in the cloud database. Then, the attacker can access the cloud database via the cloud API. A remote attacker can send the message via the REMOVE_PERSISTENT_BANNER broadcast and then update the cloud database via the cloud API. Then, the attacker can update the cloud database via the cloud API to change the access control rules. The attacker can now achieve remote code execution. CVE-2018-5061 In the cloud API, there is a solution for SENDING_PUSH_NOTIFICATION() for sending push notification. The attacker can send the message via the REMOVE_

Vulnerable Packages

The following versions are vulnerable to the vulnerabilities:

- Android 4.4.0 - 6.0.1
- Android 7.0 - 8.0
- Android 9
In the cloud API, the solution for SENDING_PUSH_NOTIFICATION() for sending push notification is implemented in androidx.core/java/com/android/server/NotificationManagerService$3$1. It does not have proper access control rules and can be bypassed by an attacker via REMOVE_PERSISTENT_BANNER broadcast and then update the cloud database via the cloud API to change the access control rules to achieve remote code execution or deny service.

Vulnerable packages:

- com.xiaomi.android.pushclient
- com.xiaomi.piui
- com.xiaomi.android.notifications
- com.xiaomi.android.cloudnotify
- com.xiaomi.android

Timeline

Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/11/2022 19:19:00 UTC

References

• https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=10
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39869