CVE-2021-41848

Name of the Vulnerable Software and Affected Versions Luna Simo PPR1.180610.011/202001031830

Description An issue was discovered that allows local third-party apps to provide a spoofed software update file, which can contain an arbitrary shell script and arbitrary ARM binary. These will be executed as the root user with an SELinux domain named osi. To exploit this, a local third-party app needs write access to external storage. The vulnerable system binary /system/bin/osi bin does not perform authentication of the update file beyond ensuring it is encrypted with a hard-coded AES key. This allows processes to perform various actions, including installing apps, granting runtime permissions, accessing extensive Personally Identifiable Information (PII), uninstalling apps, setting the default launcher app, setting a network proxy, unloading kernel modules, and more. The spoofed update can also contain an arbitrary ARM binary for persistent code execution as the root user with the osi SELinux domain.

Recommendations For Luna Simo PPR1.180610.011/202001031830, as a temporary workaround, consider restricting write access to external storage for third-party apps until a patch is available. Additionally, avoid using the /system/bin/osi bin system binary for software updates until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.