CVE-2021-39807
📋 TL;DR
This vulnerability allows a user logged into the Guest account on Android devices to enable NFC functionality without proper permissions. It enables local privilege escalation from the Guest account without requiring user interaction. Affects Android 10 through 12L devices.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Guest user gains unauthorized NFC access enabling data exfiltration, payment system manipulation, or physical access control bypass via NFC tags.
Likely Case
Guest user enables NFC to read/write data from NFC tags, potentially accessing sensitive information or performing unauthorized NFC transactions.
If Mitigated
Guest account remains restricted from NFC functionality as intended, maintaining proper security boundaries between user accounts.
🎯 Exploit Status
Exploitation requires Guest account access but no user interaction. The vulnerability is in the permission check logic of SecureNfcEnabler.java.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Bulletin April 2022 patches
Vendor Advisory: https://source.android.com/security/bulletin/2022-04-01
Restart Required: Yes
Instructions:
1. Apply April 2022 Android security patch. 2. Update device to latest Android version. 3. For enterprise devices, push updates via MDM. 4. For personal devices, check for system updates in Settings.
🔧 Temporary Workarounds
Disable Guest Account
androidRemove Guest account functionality to prevent exploitation
adb shell settings put global guest_user_enabled 0
Disable NFC
androidTurn off NFC functionality system-wide
adb shell settings put secure nfc_on 0
🧯 If You Can't Patch
- Disable Guest account functionality on all affected devices
- Implement device usage policies restricting Guest account access to sensitive devices
🔍 How to Verify
Check if Vulnerable:
Check Android version: Settings > About phone > Android version. If version is 10, 11, 12, or 12L without April 2022 patches, device is vulnerable.Check Version:
adb shell getprop ro.build.version.releaseVerify Fix Applied:
Verify Android security patch level includes April 2022 or later: Settings > About phone > Android security patch level.📡 Detection & Monitoring
Log Indicators:
- Guest account enabling NFC without proper permissions
- Unexpected NFC activation events from Guest accounts
Network Indicators:
- NFC-related network traffic from Guest accounts
SIEM Query:
source="android_logs" AND (event="nfc_enabled" OR event="secure_nfc") AND user="guest"