CVE-2023-20963 is a highly severe Android vulnerability used as a zero-day attack.
What Is CVE-2023-20963 and Why Is It Dangerous?
The United States Cybersecurity and Infrastructure Security Agency (CISA) released recently a high-severity warning in regards to an Android vulnerability that is believed to have been exploited by the Chinese e-commerce app Pinduoduo as a zero-day attack. This Android Framework security flaw, tracked as CVE-2023-20963, enables attackers to gain enhanced privileges on unpatched Android devices without requiring any user interaction.
According to its official description, CVE-2023-20963 is located in WorkSource, where there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. The flaw can be exploited without user interaction. Affected versions include Android 11, Android 12, Android 12L, and Android 13.
Google responded by issuing security updates in March, noting that the CVE-2023-20963 may be under limited, targeted exploitation. Subsequently, due to the presence of malware in some non-Google Play versions of Pinduoduo, the app was suspended by Google and later investigated by Kaspersky researchers. They discovered that the malicious code was exploiting Android vulnerabilities, including the CVE-2023-20963, to gain access to users’ data and device. Igor Golovin, a security researcher for Kaspersky, reported that some versions of the Pinduoduo app contained malicious code which would escalate privileges, download, and execute malicious modules that had access to users’ notifications and files.
U.S. Federal Civilian Executive Branch Agencies are facing a tight deadline set by CISA’s BOD 22-01 (Binding Operational Directive), which orders them to address the CVE-2023-20963 vulnerability that was added to CISA’s Known Exploited Vulnerabilities list on Thursday, May 4th. All flaws included in the KEV must be identified and remediated.