CVE-2024-40677
Published: 28 January 2025
Description
In shouldSkipForInitialSUW of AdvancedPowerUsageDetail.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-40677 is a vulnerability in the `shouldSkipForInitialSUW` method of `AdvancedPowerUsageDetail.java` within the Android Settings application. It stems from a missing permission check (CWE-862), enabling attackers to bypass factory reset protections. This flaw allows local escalation of privilege without requiring additional execution privileges or user interaction, earning a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker with no prior privileges can exploit this vulnerability to escalate their access level by circumventing factory reset safeguards. The low attack complexity and lack of user interaction make it straightforward for anyone with physical or local access to the device to achieve high-impact confidentiality, integrity, and availability compromises.
The Android Security Bulletin for October 2024 details the issue and confirms patches are available, with the specific fix committed in the Android open-source project at the provided reference URL in `platform/packages/apps/Settings`. Security practitioners should ensure devices are updated to the patched versions to mitigate this risk.
Details
- CWE(s)