CVE-2021-0536
📋 TL;DR
This vulnerability in Android's WiFiInstaller allows a malicious app to delete files accessible to CertInstaller due to a confused deputy attack. It enables local privilege escalation without requiring user interaction or additional execution privileges. Only Android 11 devices are affected.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete critical system files, potentially causing device instability, data loss, or enabling further privilege escalation to gain full system control.
Likely Case
A malicious app could delete certificates or configuration files, disrupting secure communications or enabling man-in-the-middle attacks against the device.
If Mitigated
With proper app sandboxing and minimal permissions, impact would be limited to files accessible only to CertInstaller, reducing overall system risk.
🎯 Exploit Status
Requires a malicious app to be installed on the device. No user interaction needed for exploitation once app is installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Patch Level June 2021 or later
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2021-06-01
Restart Required: Yes
Instructions:
1. Check for system updates in Settings > System > Advanced > System update. 2. Install Android Security Patch Level June 2021 or later. 3. Restart device after installation.
🔧 Temporary Workarounds
Restrict app installations
androidOnly install apps from trusted sources like Google Play Store and avoid sideloading unknown apps.
Review app permissions
androidRegularly review installed apps and their permissions, removing any suspicious or unnecessary apps.
🧯 If You Can't Patch
- Implement mobile device management (MDM) to control app installations and monitor for suspicious activity.
- Use application allowlisting to only permit trusted apps to run on affected devices.
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If it shows Android 11 and security patch level is before June 2021, device is vulnerable.Check Version:
Settings > About phone > Android version and Android security updateVerify Fix Applied:
Verify Android Security Patch Level is June 2021 or later in Settings > About phone > Android security update.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system logs
- WiFiInstaller or CertInstaller process anomalies
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Look for process anomalies involving WiFiInstaller or unexpected file deletion events in Android system logs