Moderate
CVE-2019-2215
CVE-2019-2215
Description
A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
Add Assessment
Technical Analysis
As a privilege escalation does still need an initial vector onto the phone, so requires either another exploit or additional tradecraft. This is unlikely to work in conjunction with a Chrome exploit today because many phones run a 64-bit kernel + 32-bit Chrome, perhaps for this very reason!.
After testing the Metasploit module it took a considerable amount of specific targeting effort to get just the right model, and because the phone has a feature/bug that made it difficult to downgrade firmware (and the phone likes to upgrade on its own very easily), targeting this after disclosure may be very difficult.
However, if you can find this bug or a similar one on a common phone that is past applying security updates, it could be useful for privesc from a malicious app. But I think the issue that plagues a lot of Android binary exploitation vulns is the lack of generality and there being lower-hanging fruit.
Technical Analysis
Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888
CVSS V3 Severity and Metrics
General Information
Vendors
- canonical,
- debian,
- google,
- huawei,
- netapp
Products
- a220 firmware -,
- a320 firmware -,
- a800 firmware -,
- aff baseboard management controller firmware -,
- alp-al00b firmware,
- alp-tl00b firmware,
- android -,
- anne-al00 firmware,
- ares-al00b firmware,
- ares-al10d firmware,
- ares-tl00chw firmware,
- barca-al00 firmware,
- berkeley-l09 firmware,
- berkeley-tl10 firmware,
- bla-al00b firmware,
- bla-l29c firmware,
- bla-tl00b firmware,
- c190 firmware -,
- cloud backup -,
- columbia-al00a firmware,
- columbia-l29d firmware,
- cornell-tl10b firmware,
- data availability services -,
- debian linux 8.0,
- duke-l09i firmware,
- dura-al00a firmware,
- fas2720 firmware -,
- fas2750 firmware -,
- figo-al00a firmware,
- florida-al20b firmware,
- florida-l03 firmware,
- florida-l21 firmware,
- florida-l22 firmware,
- florida-tl10b firmware,
- h300s firmware -,
- h410c firmware -,
- h410s firmware -,
- h500s firmware -,
- h610s firmware -,
- h700s firmware -,
- hci management node -,
- honor 9i firmware,
- honor view 20 firmware,
- jakarta-al00a firmware,
- johnson-tl00d firmware,
- leland-al10b firmware,
- leland-l21a firmware,
- leland-l32a firmware,
- leland-tl10b firmware,
- leland-tl10c firmware,
- lelandp-al00c firmware,
- lelandp-l22c firmware,
- mate rs firmware 9.1.0.321(c786e320r1p1t8),
- neo-al00d firmware,
- nova 2s firmware,
- nova 3 firmware,
- nova 3e firmware,
- p20 firmware,
- p20 lite firmware,
- princeton-al10b firmware,
- rhone-al00 firmware,
- service processor -,
- solidfire -,
- solidfire baseboard management controller firmware -,
- stanford-l09 firmware,
- stanford-l09s firmware,
- steelstore cloud integrated storage -,
- sydney-al00 firmware,
- sydney-tl00 firmware,
- sydneym-al00 firmware,
- tony-al00b firmware,
- tony-tl00b firmware,
- ubuntu linux 16.04,
- y9 2019 firmware,
- yale-al00a firmware,
- yale-l21a firmware,
- yale-tl00b firmware
Metasploit Modules
Exploited in the Wild
References
Advisory
