Security Bullentins
APR-2024
MAR-2024
FEB-2024
JAN-2024
2024-04-01 security patch level vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-04-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.
Framework
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
System
The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
| CVE-2024-23704 | A-299931761 | EoP | High | 13, 14 |
| CVE-2023-21267 | A-218495634 [2] [3] | ID | High | 12, 12L, 13, 14 |
| CVE-2023-0026 | A-308414141 | DoS | High | 12, 12L, 13, 14 |
| CVE-2024-0027 | A-307948424 | DoS | High | 12, 12L, 13, 14 |
2024-03-01 security patch level vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-03-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.
Framework
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
| CVE-2024-0044 | A-307532206 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-0046 | A-299441833 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-0048 | A-316893159 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-0049 | A-273936274 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-0050 | A-273935108 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-0051 | A-276442130 | EoP | High | 12, 12L, 13, 14 |
| CVE-2024-0053 | A-281525042 | ID | High | 12, 12L, 13, 14 |
| CVE-2024-0047 | A-311687929 [2] [3] | DoS | High | 14 |
System
The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
| CVE-2024-0039 | A-295887535 [2] [3] | RCE | Critical | 12, 12L, 13, 14 |
| CVE-2024-23717 | A-318374503 | EoP | Critical | 12, 12L, 13, 14 |
| CVE-2023-40081 | A-284297452 | ID | High | 12, 12L, 13, 14 |
| CVE-2024-0045 | A-300903400 | ID | High | 12, 12L, 13, 14 |
| CVE-2023-0052 | A-303871379 | ID | High | 14 |
2024-02-01 security patch level vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.
Framework
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
| CVE-2024-0029 | A-305664128 | EoP | High | 13 |
| CVE-2024-0032 | A-283962634 [2] | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0034 | A-298094386 | EoP | High | 11, 12, 12L, 13 |
| CVE-2024-0036 | A-230492947 | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0038 | A-309426390 | EoP | High | 14 |
| CVE-2024-0041 | A-300741186 | EoP | High | 14 |
| CVE-2023-40122 | A-286235483 | ID | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0037 | A-292104015 | ID | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0040 | A-300007708</td> | ID | High | 11, 12, 12L, 13, 14 |
System
The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
| CVE-2024-0031 | A-297524203 | RCE | Critical | 11, 12, 12L, 13, 14 |
| CVE-2024-0014 | A-304082474 | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0033 | A-294609150 [2] | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0035 | A-300903792 | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2023-40093 | A-279055389 [2] | ID | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0030 | A-276898739 | ID | High | 11, 12, 12L, 13, 14 |
2024-01-01 security patch level vulnerability details
In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-01-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.
Framework
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
| CVE-2023-21245 | A-222446076 [2] | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0015 | A-300090204 | EoP | High | 11, 12, 12L, 13 |
| CVE-2024-0018 | A-300476626 | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0023 | A-283099444 [2] | EoP | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0019 | A-294104969 | ID | High | 12, 12L, 13, 14 |
System
The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
| CVE | References | Type | Severity | Updated AOSP versions |
| CVE-2024-0021 | A-282934003 [2] | EoP | High | 13, 14 |
| CVE-2023-40085 | A-269271098 | ID | High | 12, 12L, 13 |
| CVE-2024-0016 | A-279169188 | ID | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0017 | A-285142084 [2] | ID | High | 11, 12, 12L, 13, 14 |
| CVE-2024-0020 | A-299614635 | ID | High | 11, 12, 12L, 13, 14 |
For detailed information about the vulnerability, please visit the following link:
https://www.cve.org/
Security Reporting
We encourage users, partners, suppliers, security organizations, and independent researchers to actively report to Marusys ST by email any security risks or vulnerabilities related to Marusys products and solutions. Due to the sensitivity of vulnerability information, we recommend using our PGP public key (Key ID: 0x76032DCA; PGP Fingerprint: 8143118DD7E85DBB27ADA839DD8D732776032DCA) and reporting it to st@marusys.com. In order to facilitate timely verification and location of vulnerabilities, the content of the email should include the following:
1. Organization/Title and Contact Information
2. Description of potential security risks/vulnerabilities
3. Technical details (e.g., system configuration, positioning method, description/screenshot of exploit, sample captured images, POC, steps to reproduce problems, etc.)
4. Report the product name, model, and software/firmware version where the security risks/vulnerabilities are located.
5. Possible vulnerability disclosure plan
Response Process
When a security issue on a Marusys product or service is reported, the Security Team(ST) immediately starts working with Marusys development teams to resolve the issue.
The Product Security Response staff will first determine which entity needs to be engaged. Marusys ST will work with partners, researchers, customers, and other individuals as necessary, to help resolve the vulnerability issues and improve the process.
The following is an overview of the product security issue lifecycle, including the disclosure and resolution processes:
Discovery
Marusys ST is notified of a suspected vulnerability in Marusys products or services. The reporter will be informed of all steps in the process.
Investigation/Analysis
Marusys ST reports the suspected vulnerability to the relevant product teams for verification. The QE teams will attempt to reproduce the reported issue for an in-depth analysis of the situation. The QE may collaborate with the reporter to gather as much detail necessary to ensure appropriate remediation.
Mitigation
Marusys ST and the relevant product teams together develop a schedule for the release date of the fixes based on the severity level of the vulnerability. The product team also develops the fixes.
Notification
The security update is released on Marusys Security Bulletins. A notification email will be sent out to those impacted by the vulnerability reported.