Login Sign Up

CVE-2024-23706

7.8 HIGH

📋 TL;DR

This vulnerability allows local attackers to bypass health data permissions on Android devices due to improper input validation. It enables local privilege escalation without requiring user interaction or additional execution privileges. Affected systems include Android devices running vulnerable versions of the HealthFitness module.

💻 Affected Systems

Products:
  • Android HealthFitness module
Versions: Android versions prior to May 2024 security update
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Android devices with the HealthFitness module. The vulnerability is in multiple locations within the module.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical access or malicious app could gain unauthorized access to sensitive health data, potentially exposing medical information or using it for identity theft.

🟠

Likely Case

Malicious apps could bypass permission checks to access health data they shouldn't have access to, compromising user privacy.

🟢

If Mitigated

With proper patching, the vulnerability is eliminated, restoring proper permission enforcement for health data access.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the device, not directly exploitable over the internet.
🏢 Internal Only: HIGH - Malicious apps or users with physical access could exploit this to escalate privileges and access sensitive health data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the device. No user interaction needed for successful exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2024 Android Security Update

Vendor Advisory: https://source.android.com/security/bulletin/2024-05-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the May 2024 security update. 3. Restart the device after installation completes.

🔧 Temporary Workarounds

Disable HealthFitness module

android

Temporarily disable the HealthFitness module to prevent exploitation

adb shell pm disable com.google.android.apps.healthdata

Restrict app permissions

android

Review and restrict health data permissions for all installed apps

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict app installation policies and monitor for suspicious behavior

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If patch level is before May 2024, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 'May 5, 2024' or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to health data APIs
  • Permission bypass attempts in system logs

Network Indicators:

  • Unusual health data access patterns from apps

SIEM Query:

source="android_system" AND (event="permission_violation" OR event="health_data_access")

📊 Metadata

CVE ID: CVE-2024-23706
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: May 7, 2024
Last Updated: December 17, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23706, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)