CVE-2024-49734
Published: 21 January 2025
Description
In multiple functions of ConnectivityService.java, there is a possible way for a Wi-Fi AP to determine what site a device has connected to through a VPN due to side channel information disclosure. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Security Summary
CVE-2024-49734 is a side-channel information disclosure vulnerability (CWE-200) affecting multiple functions in ConnectivityService.java within the Android Open Source Project. It allows a Wi-Fi access point to determine the websites a device has connected to through a VPN by leaking timing or other side-channel data. The issue enables remote information disclosure with no additional execution privileges required and no user interaction needed, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An attacker controlling a malicious or compromised Wi-Fi access point can exploit this vulnerability when a victim device connects to it. Exploitation occurs over the network with low complexity, requiring no privileges or user interaction, and results in high-impact confidentiality loss by revealing VPN-protected browsing destinations.
The Android Security Bulletin for 2025-01-01 at https://source.android.com/security/bulletin/2025-01-01 provides details on affected versions and patches for mitigation.
Details
- CWE(s)