MediaTek Confirms Bug That Affects Android Devices Running Its Chipsets
With the exception of MediaTek-based phones from Vivo, Huawei/Honor (after Android 8.0+), OPPO (after Android 8.0+), and Samsung, XDA community members found that MediaTek-su works more often than not when attempted on devices with affected chipsets. According to XDA Member diplomatic, Vivo, Huawei/Honor, OPPO, and Samsung devices "use kernel modifications to deter root access via exploits," which means the developer would need to dig into the kernel source code of these devices to create "tailored version[s]" of the exploit. That wasn't worth the added effort, so the developer chose not to add support for these devices even though, "in theory," the exploit could still work.
MediaTek confirms bug that affects Android devices running its chipsets
By now, it should be clear that this exploit affects a large number of devices on the market. MediaTek chips power hundreds of budget and mid-range smartphone models, cheap tablets, and off-brand set-top boxes, most of which are sold without the expectation of timely updates from the manufacturer. Many devices still affected by MediaTek-su are thus unlikely to get a fix for weeks or months after today's disclosure, if they get one at all. So what makes MediaTek-su earn its "Critical" severity with a CVSS v3.0 score of 9.3?
The only "weakness" in MediaTek-su is that it grants an application just "temporary" root access, which means that a process loses superuser access after a device reboot. Furthermore, on devices running Android 6.0 Marshmallow and above, the presence of Verified Boot and dm-verity block modifications to read-only partitions like system and vendor. However, these two factors are mostly only hindrances to modders on our forums rather than malicious actors. To overcome the limitation of temporary root, a malicious app can simply re-run the MediaTek-su script on every boot. On the other hand, there's little need to overcome dm-verity as permanent modifications to the system or vendor partitions are unlikely to interest most malware authors; after all, there are already tons of things a malicious app can do with a root shell.
According to the chart that MediaTek shared with us, this vulnerability affects MediaTek devices with Linux Kernel versions 3.18, 4.4, 4.9, or 4.14 running Android versions 7 Nougat, 8 Oreo, or 9 Pie. The vulnerability is not exploitable on MediaTek devices running Android 10, apparently, since "the access permission of CMDQ device nodes is also enforced by SELinux." This mitigation likely comes from an update to MediaTek's BSP rather than from Android itself. Android 10's only mitigation for this vulnerability is its restriction on apps executing binaries in their home directory; however, as XDA Recognized Developer topjohnwu notes, a malicious app can simply run the MediaTek-su code in a dynamic library.
Specifically, ALAC is an open-source audio coding format from Apple Inc. meant for lossless digital audio compression. Many Android vendors also use ALAC, and hence, any vulnerability in its code signifies that the bug affects the respective devices using it.
MediaTek rated CVE-2021-0675 as a "high" severity elevation of privilege bug due to "improper restriction of operations within the bounds of a memory buffer in alac decoder". It affects dozens of MediaTek chips used in devices running Android versions 8.1, 9.0, 10.0, and 11.0, according to MediaTek.
To start, Dirty Pipe only affects Android devices running Linux kernel versions 5.8 and later. There isn't a complete list of phones tied to specific Linux kernel versions, but many Android phones "live" on a specific kernel version their entire life. Kernel 5.8 was released in 2020, but Android devices didn't start to receive any more recent versions until the release of Android 12. Generic Kernel Images complicate this a little, but only the Pixel 6 and 6 Pro use it, and consumer devices using kernel versions after 5.8 didn't debut until Android 12 either.
We know the Pixel 6, Pixel 6 Pro, and Samsung Galaxy S22 series are affected by Dirty Pipe. Android Police has separately confirmed the Xiaomi 12 Pro is running an affected version of the Linux kernel. Qualcomm has confirmed to us that out of all its chipsets, only the Snapdragon 8 Gen 1 might use an affected kernel. All of its other hardware should be unaffected.
Qualcomm has given us additional details about the chipsets it supplies that may use affected kernels. Of its hardware, only devices using the Snapdragon 8 Gen 1 could be affected. We are still waiting on additional information from other vendors.
In short, Dirty Pipe is a vulnerability that affects all Android phones with Qualcomm Snapdragon 8 Gen 1, MediaTek Dimensity 9000, Google Tensor and Exynos 2200 chipsets. However, it is not possible to provide all new models with security patches in a short period. of time. It will still take about 5 months until the Dirty Pipe security vulnerability is fixed on all phones. There is no official statement from Xiaomi about the Dirty Pipe vulnerability, but we recommend you to install the upcoming updates, even if there is no official statement, the Dirty Pipe vulnerability can be fixed.
Mikhaylov (2017:39) states that different steps are required to activate USB debugging mode depending on what version of Android is being used. To enable USB debugging the passcode will be required. Although some devices running Android, like the Innotab Max, which Privacy International tested in 2016-17, appear to ship from the factory with debugging enabled by default. Research by Pen Test Partners confirmed that the Vtech Innotab Max is rooted by default with ADB (auto debugging) enabled from the outset.