Tada Images / Shutterstock.com
Google has released a patch for two zero-day vulnerabilities in Pixel devices that are potentially being exploited. The Pixel security patch contains 24 fixes, including the two zero-days, tracked under CVE-2024-29748 and CVE-2024-29745.
Android-based GrapheneOS, an open-source, privacy, and security-focused operating system for Pixel devices, disclosed the two high-severity zero-day flaws. CVE-2024-29748 is a high-severity escalation of privilege bug in the Pixel firmware, and CVE-2024-29745 is another high-severity information disclosure bug in Pixel’s bootloader.
“There are indications that the following may be under limited, targeted exploitation,” Google said.
The vulnerabilities mentioned above allow access to the memory on Google Pixel devices when they are physically within reach.
“The April release of the Pixel boot chain firmware includes fixes for two vulnerabilities, which forensic companies are actively exploiting in the wild,” GrapheneOS said.
CVE-2024-29745 is a flaw in the fastboot firmware used to unlock, flash, or lock the device. The flaw can be exploited by rebooting devices in the AFU (After First Unlock) state, getting into Pixel’s fastboot mode and dumping memory. Google has implemented a GrapheneOS-proposed measure, which includes zeroing the memory in firmware when rebooting to fastboot mode — rendering the attacks useless. USB is only enabled once the memory is zeroed.
CVE-2024-29748 flaw allows interruption of a factory reset by apps by exploiting the device admin API, making such resets a privacy and security threat. GrapheneOS claims that the current patch for this flaw is a “partial solution” and Google is also working on another one of their suggestions to reset without a reboot.
“We’ll be shopping a properly secure implementation of a duress PIN/password alongwith a properly secure panic wipe based on wiping without requiring a reboot. We also plan to make device admin API use our wipe-without-reboot approach until Android ships one,” GrapheneOS said.
The patches for Pixel devices also contain a critical severity escalation of privilege flaw, tracked as CVE-2024-29740. All the Google Pixel fixes will be released alongside April’s Android security patch 05-04-2024.
In addition to the two zero-days and critical vulnerabilities on Pixel devices, the April patch also fixes another critical vulnerability, allowing local escalation of privilege.
“The most severe of these issues is a high-security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed,” Google said.
In the News: Opera unveils support for local LLMs within the browser
