CVE-2017-13314

Name of the Vulnerable Software and Affected Versions Android versions prior to 8.0

Description A security settings bypass is possible due to a missing permission check in the setAllowOnlyVpnForUids function of NetworkManagementService.java. This could lead to local escalation of privilege, allowing users to access non-VPN networks when they are supposed to be restricted to VPN networks, with no additional execution privileges needed. User interaction is not needed for exploitation.

Recommendations For Android versions prior to 8.0, consider restricting access to the setAllowOnlyVpnForUids function of NetworkManagementService.java to minimize the risk of exploitation. As a temporary workaround, restrict the ability of users to access non-VPN networks when they are supposed to be restricted to VPN networks.