Use-After-Free in Binder Driver Vulnerability | Zebra

CVE-2019-2215: Use-After-Free in Binder Driver Vulnerability

For more information, please see: 

There have been reports of active exploits of this vulnerability. Zebra strongly recommends customers apply updates for impacted Zebra products to mitigate the risk of exploitation. 

Zebra takes security seriously and recommends that customers update to the latest BSP and accept monthly patches to minimize security risks.

Updates will be posted to each device support page as they are released.  

The use-after-free in binder driver vulnerability is a kernel privilege bug potentially affecting Zebra devices running the Android 8.1 (Oreo) operating system. Other operating systems are either not impacted or have already addressed the vulnerability. 

As reported by Maddie Stone from the Android security team:

In the upstream commit: “binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.”

Control of the kernel/root access can also lead to an "exploit chain", where malicious actors use additional exploits to collect information from the device. 

While the vulnerability is rated High, it requires installation of a compromised application for exploit to occur. Zebra encourages customers to lock down device capabilities to prevent installation of compromised applications.

Impacted Zebra Products

These vulnerabilities potentially impact some Zebra mobile computers, tablets and kiosks running Oreo 8.1.  

Updates are scheduled to be available for affected products as follows: 

  • TC2x products: November 15th, 2019

  • All other impacted products: October 29th, 2019

Updates can be downloaded from individual support pages on that date.

Support pages for impacted products:
 

Mobile Computers

MC33  GMS | Non-GMS
MC3300R  GMS | Non-GMS
MC9300 GMS | Non-GMS
PS20 All
TC20 GMS | Non-GMS
TC25 GMS | Non-GMS
TC52  GMS | Non-GMS
TC57 GMS | Non-GMS
TC72 GMS | Non-GMS
TC77 GMS | Non-GMS
TC8300 GMS
VC8300 GMS

Kiosks

CC600/CC6000 GMS | Non-GMS

Tablets

ET51 GMS | Non-GMS
ET56 
GMS | Non-GMS
L10A GMS | Non-GMS (China only)

 

 

Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.

Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.



Are you aware of a potential security issue with a Zebra Technologies product?