PT-2013-5983 · Google · Android
Published
2013-12-14
·
Updated
2013-12-18
·
CVE-2013-6271
CVSS v2.0
8.8
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Android versions 4.0 through 4.3
Description
The issue allows attackers to bypass intended access restrictions and remove device locks via a crafted application. This is achieved by invoking the
updateUnlockMethodAndFinish method in the com.android.settings.ChooseLockGeneric class with the PASSWORD QUALITY UNSPECIFIED option.Recommendations
For Android versions 4.0 through 4.3, as a temporary workaround, consider restricting the use of the
com.android.settings.ChooseLockGeneric class until a patch is available. Avoid using the PASSWORD QUALITY UNSPECIFIED option in the updateUnlockMethodAndFinish method to minimize the risk of exploitation.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Android