CVE-2021-0380
📋 TL;DR
This Android vulnerability allows local attackers to trigger provisioning URLs and modify telephony settings without proper permission checks during device onboarding. It enables local privilege escalation without requiring user interaction. Only Android 11 devices are affected.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access or malicious app could gain elevated privileges, modify telephony settings, and potentially access sensitive device functions normally restricted to system apps.
Likely Case
Malicious apps could abuse this to modify device settings, potentially enabling further attacks or disrupting normal device operation.
If Mitigated
With proper Android security updates applied, the vulnerability is completely patched with no residual risk.
🎯 Exploit Status
Exploitation requires local access and knowledge of the vulnerability during device onboarding. No user interaction needed once conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Patch Level 2021-03-01 or later
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2021-03-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > Advanced > System update. 2. Install the March 2021 security patch or later. 3. Reboot device after installation.
🔧 Temporary Workarounds
Disable onboarding/setup access
allPrevent unauthorized physical access during device setup phase
Restrict app installation
allOnly allow installation from trusted sources like Google Play Store
🧯 If You Can't Patch
- Restrict physical access to devices during setup/onboarding
- Implement mobile device management (MDM) to control app installation and device settings
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If it shows Android 11 and security patch level is earlier than March 2021, device is vulnerable.Check Version:
adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify Android version is not 11 OR security patch level is March 2021 or later in Settings > About phone > Android version & Security patch level.📡 Detection & Monitoring
Log Indicators:
- Unusual telephony setting changes during device setup
- Provisioning URL triggers without proper permissions
Network Indicators:
- Unexpected provisioning server connections during onboarding
SIEM Query:
Look for telephony permission abuse events or unusual provisioning activities in Android device logs