Thread By @GrapheneOS - CVE202432896 which is marked as being ac..

GrapheneOS

50.07K 0 1.05K 20.51K

Listen to this Thread

View original tweet on Twitter

Hide Media

CVE-2024-32896 and CVE-2024-29748 refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices. https://t.co/UWAaA9er57 CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific.

This is being widely incorrectly reported in tech news coverage. Pixel Update Bulletins are almost entirely patches for vulnerabilities which apply to other devices too. Android Security Bulletins are the list of what other OEMs are required to fix, not the full list of patches.

We explained this in our previous thread: https://t.co/qXz2RGTgP0 CVE-2024-29748 was a mitigation for the issue implemented in the Pixel bootloader. Full solution is implementing wipe-without-reboot, which is now a standard feature in Android 14 QPR3 released as part of AOSP.

Our 2024052100 release backported the upstream wipe-without-reboot feature being shipped in the June 2024 release of Android (Android 14 QPR3): https://t.co/GQmsVGKWl3. We extended it to make it more robust via extra redundancy in our 2024060400 release: https://t.co/9JnljvWlgl.

There were 2 main issues: 1) memory not wiped when booting firmware-based fastboot mode, allowing exploiting it to get previous OS memory 2) AOSP device admin API depends on reboot-to-recovery to wipe before Android 14 QPR3 Neither is issue is being fixed outside Pixels yet.

Each month, Android has a new version released. These are the monthly, quarterly (QPR) and yearly releases. The baseline monthly security patches are NOT the monthly releases of Android. They're backports of a SUBSET of the patches with High/Critical severity, not all patches.

Most devices only ship the backported patches to older Android releases (12, 13 and 14). Pixels ship the monthly, quarterly and yearly releases. Other devices will mostly get the 2nd vulnerability fix when they update to Android 15. They'll have to fix the 1st issue on their own.

We have a thread about forensic company capabilities at https://t.co/ePxpCjuWiV based on leaked Cellebrite documentation. Shows GrapheneOS does a much better job than iOS/Android blocking exploits and only Pixel 6 and later or iPhone 12 and later successfully stop brute forcing.

Link to the June 2024 Pixel bulletin, showing CVE-2024-32896 as actively exploited in the wild: https://t.co/r2gcvb1FND. We meant to include this in the first post of this thread but it got left out during editing. Can see it's the same one attributed to us in acknowledgements.

CVE-2024-32896 which is marked as being actively exploited in the wild in the June 2024 Pixel Update Bulletin is the 2nd part of the fix for CVE-2024-29748 vulnerability we described here: https://t.co/c4xnnbje04 As we explained there, none of this is actually Pixel specific.CVE-2024-32896 and CVE-2024-29748 refer to the same vulnerability of interrupting reboot for wipes via the device admin API, which applies to all devices. https://t.co/UWAaA9er57 CVE-2024-32896 is a full fix in AOSP as part of Android 14 QPR3. It's not at all Pixel specific.This is being widely incorrectly reported in tech news coverage. Pixel Update Bulletins are almost entirely patches for vulnerabilities which apply to other devices too. Android Security Bulletins are the list of what other OEMs are required to fix, not the full list of patches.We explained this in our previous thread: https://t.co/qXz2RGTgP0 CVE-2024-29748 was a mitigation for the issue implemented in the Pixel bootloader. Full solution is implementing wipe-without-reboot, which is now a standard feature in Android 14 QPR3 released as part of AOSP.Our 2024052100 release backported the upstream wipe-without-reboot feature being shipped in the June 2024 release of Android (Android 14 QPR3): https://t.co/GQmsVGKWl3. We extended it to make it more robust via extra redundancy in our 2024060400 release: https://t.co/9JnljvWlgl.There were 2 main issues: 1) memory not wiped when booting firmware-based fastboot mode, allowing exploiting it to get previous OS memory 2) AOSP device admin API depends on reboot-to-recovery to wipe before Android 14 QPR3 Neither is issue is being fixed outside Pixels yet.Each month, Android has a new version released. These are the monthly, quarterly (QPR) and yearly releases. The baseline monthly security patches are NOT the monthly releases of Android. They're backports of a SUBSET of the patches with High/Critical severity, not all patches.Most devices only ship the backported patches to older Android releases (12, 13 and 14). Pixels ship the monthly, quarterly and yearly releases. Other devices will mostly get the 2nd vulnerability fix when they update to Android 15. They'll have to fix the 1st issue on their own.We have a thread about forensic company capabilities at https://t.co/ePxpCjuWiV based on leaked Cellebrite documentation. Shows GrapheneOS does a much better job than iOS/Android blocking exploits and only Pixel 6 and later or iPhone 12 and later successfully stop brute forcing.Link to the June 2024 Pixel bulletin, showing CVE-2024-32896 as actively exploited in the wild: https://t.co/r2gcvb1FND. We meant to include this in the first post of this thread but it got left out during editing. Can see it's the same one attributed to us in acknowledgements.

GrapheneOS

Unroll Another Tweet

Use Our Twitter Bot to Unroll a Thread