CVE-2023-21223 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2023-21223?

CVE-2023-21223 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to read memory beyond intended boundaries in Android's LPP (LTE Positioning Protocol) component, potentially exposing sensitive information. It affects Android devices with vulnerable kernel versions, requiring no user interaction or special privileges for exploitation.

📋 TL;DR

This vulnerability allows remote attackers to read memory beyond intended boundaries in Android's LPP (LTE Positioning Protocol) component, potentially exposing sensitive information. It affects Android devices with vulnerable kernel versions, requiring no user interaction or special privileges for exploitation.

💻 Affected Systems

Products:

Android

Versions: Android kernel versions prior to June 2023 security patches

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with LTE positioning capabilities; Pixel devices specifically mentioned in bulletin

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker could read sensitive kernel memory, potentially exposing cryptographic keys, authentication tokens, or other protected data leading to further system compromise.

🟠

Likely Case

Information disclosure of limited kernel memory contents, potentially revealing device identifiers, location data, or other system information.

🟢

If Mitigated

No impact if patched; unpatched devices remain vulnerable to information disclosure but with limited scope due to memory layout protections.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

No authentication required but requires LTE positioning protocol interaction; no public exploit code known

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2023 Android security patch level

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-06-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install June 2023 security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable LTE Positioning

android

Turn off LTE-based location services to prevent exploitation via LPP protocol

Settings > Location > Location services > Google Location Accuracy > Turn off

🧯 If You Can't Patch

Disable LTE positioning services in device settings
Use network-level filtering to block LPP protocol traffic if possible

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows June 2023 or later date

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs, abnormal LPP protocol activity in radio logs

Network Indicators:

Unusual LPP protocol traffic patterns, unexpected positioning requests

SIEM Query:

source="android_kernel" AND ("LPP" OR "GNSS") AND ("out of bounds" OR "OOB")

📊 Metadata

CVE ID: CVE-2023-21223

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: June 28, 2023

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/pixel/2023-06-01 Vendor Advisory
https://source.android.com/security/bulletin/pixel/2023-06-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21223, you might also want to check these: