Security Bullentins
      APR-2024
      MAR-2024
      FEB-2024
      JAN-2024
      2024-04-01 security patch level vulnerability details
      In the sections below, we provide details for each of the security vulnerabilities that apply to the 2024-04-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.
      Framework
      The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.
      CVEReferencesTypeSeverityUpdated AOSP versions
      CVE-2024-23710A-311374917EoPHigh13, 14
      CVE-2024-23713A-305926929EoPHigh12, 12L, 13, 14
      CVE-2024-0022A-298635078IDHigh13, 14
      CVE-2024-23712A-304983146DoSHigh12, 12L, 13, 14
      System
      The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.
      CVEReferencesTypeSeverityUpdated AOSP versions
      CVE-2024-23704A-299931761EoPHigh13, 14
      CVE-2023-21267A-218495634 [2] [3]IDHigh12, 12L, 13, 14
      CVE-2023-0026A-308414141DoSHigh12, 12L, 13, 14
      CVE-2024-0027A-307948424DoSHigh12, 12L, 13, 14
      For detailed information about the vulnerability, please visit the following link: https://www.cve.org/
      Security Reporting
      We encourage users, partners, suppliers, security organizations, and independent researchers to actively report to Marusys ST by email any security risks or vulnerabilities related to Marusys products and solutions. Due to the sensitivity of vulnerability information, we recommend using our PGP public key (Key ID: 0x76032DCA; PGP Fingerprint: 8143118DD7E85DBB27ADA839DD8D732776032DCA) and reporting it to st@marusys.com. In order to facilitate timely verification and location of vulnerabilities, the content of the email should include the following:
      
      1. Organization/Title and Contact Information
      2. Description of potential security risks/vulnerabilities
      3. Technical details (e.g., system configuration, positioning method,  description/screenshot of exploit, sample captured images, POC, steps to reproduce problems, etc.)
      4. Report the product name, model, and software/firmware version where the security risks/vulnerabilities are located.
      5. Possible vulnerability disclosure plan
      		

      Response Process
      When a security issue on a Marusys product or service is reported, the Security Team(ST) immediately starts working with Marusys development teams to resolve the issue.
      
      The Product Security Response staff will first determine which entity needs to be engaged. Marusys ST will work with partners, researchers, customers, and other individuals as necessary, to help resolve the vulnerability issues and improve the process.
      
      The following is an overview of the product security issue lifecycle, including the disclosure and resolution processes:
      
      Discovery
      
      Marusys ST is notified of a suspected vulnerability in Marusys products or services. The reporter will be informed of all steps in the process.
      
      Investigation/Analysis
      
      Marusys ST reports the suspected vulnerability to the relevant product teams for verification. The QE teams will attempt to reproduce the reported issue for an in-depth analysis of the situation. The QE may collaborate with the reporter to gather as much detail necessary to ensure appropriate remediation.
      
      Mitigation
      
      Marusys ST and the relevant product teams together develop a schedule for the release date of the fixes based on the severity level of the vulnerability. The product team also develops the fixes.
      
      Notification
      
      The security update is released on Marusys Security Bulletins. A notification email will be sent out to those impacted by the vulnerability reported.