An Android security bulletin was published on January 6, 2025, which disclosed multiple vulnerabilities but did not provide details (7th Jan 2025)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: CUPS provides the “cups” library to talk to the different parts of CUPS and with Internet Printing Protocol (IPP) printers. The “cups” library functions are accessed by including the <cups/cups.h> header. CUPS is based on the Internet Printing Protocol (“IPP”), which allows clients (applications) to communicate with a server (the scheduler, printers, etc.) to get a list of destinations, send print jobs, and so forth. You identify which server you want to communicate with using a pointer to the opaque structure http_t. The CUPS_HTTP_DEFAULT constant can be used when you want to talk to the CUPS scheduler.

Vulnerability details: Five critical Android fixes (CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, CVE-2024-49748) were released in the January 2025 Security Advisory Bulletin. We are aware that the above vulnerability advisory was released on December 3, 2024. But why not provide details?

Perhaps it related to CUPS. When android install this opensource system, Android itself cannot protect itself.So, it bring out the vulnerabilities.

I speculated the vulnerability exchange CVE reference numbers on CUPS to Android is shown as below:

Android CVE-2024-43096 – CVE-2024-47076 (CUPS)

Android CVE-2024-49747 – CVE-2024-47175 (CUPS)

Android CVE-2024-49748 – CVE-2024-47176

Android CVE-2024-43770 – CVE-2024-47176 (CUPS): When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

Android CVE-2024-43771 – CVE-2024-47177 (CUPS)

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.