CVE-2024-11624
Published: 03 January 2025
Description
there is a possible to add apps to bypass VPN due to Undeclared Permission . This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-11624 is a vulnerability in Android Pixel devices caused by an undeclared permission that allows apps to bypass VPN configurations. This flaw, classified under CWE-276 (Incorrect Default Permissions), enables local escalation of privilege without needing additional execution privileges or user interaction. It received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 3, 2025.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation leads to high-impact confidentiality, integrity, and availability violations, allowing the attacker to escalate privileges on the affected device.
The Android security bulletin for Pixel devices, dated December 1, 2024 (available at https://source.android.com/security/bulletin/pixel/2024-12-01), addresses this vulnerability with patches for mitigation. Security practitioners should ensure affected Pixel devices are updated to the patched firmware versions outlined in the bulletin.
Details
- CWE(s)