CVE-2023-21094
📋 TL;DR
This vulnerability allows a local attacker to take over the screen display and swap display content without user interaction due to a missing permission check in Android's LayerState.cpp. It affects Android devices running versions 11 through 13, enabling local privilege escalation without requiring additional execution privileges.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise where attacker gains full control over screen content, potentially displaying malicious overlays, capturing sensitive information, or executing further privilege escalation attacks.
Likely Case
Local attacker gains ability to manipulate screen content, potentially enabling phishing attacks, session hijacking, or data theft through screen manipulation.
If Mitigated
Limited impact with proper Android security updates applied and device isolation from untrusted users.
🎯 Exploit Status
Exploitation requires local access but no user interaction. The vulnerability is in the Android framework's display layer management.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Bulletin April 2023 patches
Vendor Advisory: https://source.android.com/security/bulletin/2023-04-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Install the April 2023 security patch or later. 3. Restart device after installation.
🔧 Temporary Workarounds
Disable unknown sources
androidPrevent installation of malicious apps that could exploit this vulnerability
Settings > Security > Install unknown apps > Disable for all apps
Restrict app permissions
androidReview and restrict display overlay permissions for all apps
Settings > Apps > [App Name] > Permissions > Display over other apps > Deny
🧯 If You Can't Patch
- Isolate vulnerable devices from untrusted users and limit physical access
- Implement strict app vetting policies and only allow installation from trusted sources like Google Play Store
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If version is 11, 12, 12L, or 13 without April 2023 security patch, device is vulnerable.Check Version:
adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify Android version and security patch level in Settings > About phone. Look for 'Android security patch level' dated April 2023 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual display layer manipulation events in system logs
- Multiple permission requests for display overlay from single app
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
No specific SIEM query - monitor for Android security patch compliance and device management alerts