CVE-2024-0031 Overview
CVE-2024-0031 is a critical out-of-bounds write vulnerability in the Android Bluetooth stack, specifically in the attp_build_read_by_type_value_cmd function within the att_protocol.cc file. This vulnerability allows remote code execution without requiring any user interaction or additional execution privileges.
The flaw stems from improper input validation when processing Bluetooth ATT (Attribute Protocol) commands, enabling attackers to write data outside the bounds of allocated memory buffers. Given that Bluetooth is a widely enabled feature on mobile devices and the attack requires no user interaction, this vulnerability poses a significant risk to Android devices worldwide.
Critical Impact
Remote attackers can achieve code execution on vulnerable Android devices via Bluetooth without user interaction, potentially leading to complete device compromise.
Affected Products
- Google Android 11.0
- Google Android 12.0
- Google Android 12.1
- Google Android 13.0
- Google Android 14.0
Discovery Timeline
- February 16, 2024 - CVE-2024-0031 published to NVD
- December 16, 2024 - Last updated in NVD database
Technical Details for CVE-2024-0031
Vulnerability Analysis
The vulnerability exists in the Bluetooth ATT (Attribute Protocol) implementation within Android's Bluetooth module. The affected function attp_build_read_by_type_value_cmd in att_protocol.cc fails to properly validate input parameters before performing memory write operations.
When constructing ATT protocol commands, the function does not adequately check buffer boundaries, allowing specially crafted Bluetooth packets to trigger an out-of-bounds write condition. This memory corruption can be exploited to achieve arbitrary code execution in the context of the Bluetooth process, which runs with system-level privileges on Android devices.
The vulnerability is particularly dangerous because it can be exploited remotely over Bluetooth without requiring any user interaction. An attacker within Bluetooth range could send malicious packets to a vulnerable device, potentially gaining full control without the victim's knowledge.
Root Cause
The root cause is improper input validation (CWE-20) leading to an out-of-bounds write condition (CWE-787). The attp_build_read_by_type_value_cmd function does not properly validate the size of input data against the allocated buffer size before writing, allowing attackers to corrupt adjacent memory regions.
The lack of boundary checking when processing ATT protocol value lengths enables malformed packets to write beyond the intended buffer, corrupting heap or stack memory depending on the allocation context.
Attack Vector
The attack vector is network-based, specifically over Bluetooth. An attacker can exploit this vulnerability by:
- Positioning themselves within Bluetooth range of the target device (typically up to 100 meters with Class 1 Bluetooth)
- Initiating a Bluetooth connection or sending malicious ATT protocol packets
- Crafting packets with malformed value lengths that trigger the out-of-bounds write
- Leveraging the memory corruption to redirect execution flow and achieve code execution
The exploitation does not require any authentication, user interaction, or special privileges on the attacker's part. The target device simply needs to have Bluetooth enabled, which is a common default configuration.
Detection Methods for CVE-2024-0031
Indicators of Compromise
- Unexpected Bluetooth crashes or restarts of the Bluetooth service on Android devices
- Anomalous Bluetooth connection attempts from unknown devices in system logs
- Unusual memory access patterns in the com.android.bluetooth process
- System instability following Bluetooth activity
Detection Strategies
- Monitor system logs for crashes in the Bluetooth stack, particularly in ATT protocol handling
- Implement network intrusion detection rules to identify malformed Bluetooth ATT packets
- Deploy endpoint detection solutions capable of monitoring Bluetooth service behavior
- Review crash dumps for evidence of heap or stack corruption in Bluetooth processes
Monitoring Recommendations
- Enable verbose Bluetooth logging on devices in high-security environments for forensic analysis
- Monitor for unexpected Bluetooth service restarts using Android Debug Bridge (ADB)
- Implement centralized logging for managed device fleets to correlate potential attack patterns
- Use mobile threat defense solutions to detect anomalous Bluetooth behavior
How to Mitigate CVE-2024-0031
Immediate Actions Required
- Apply the February 2024 Android security patch immediately on all affected devices
- Disable Bluetooth on devices that cannot be immediately patched, especially in high-risk environments
- Restrict physical access to sensitive areas where Bluetooth-based attacks could be launched
- Prioritize patching for devices with access to sensitive data or critical systems
Patch Information
Google has released a security patch for this vulnerability as part of the Android Security Bulletin February 2024. The fix is implemented in commit de53890aaca2ae08b3ee2d6e3fd25f702fdfa661 in the Bluetooth module, which adds proper input validation to prevent the out-of-bounds write condition.
Organizations should ensure all Android devices are updated to the February 2024 security patch level or later. For devices managed through enterprise mobility management (EMM) solutions, push the update as a priority deployment.
The specific code change can be reviewed in the Android Bluetooth Module Update.
Workarounds
- Disable Bluetooth when not actively in use to reduce the attack surface
- Avoid using Bluetooth in public or untrusted locations where attackers may be present
- Enable Bluetooth only when necessary and disable immediately after use
- Consider using wired alternatives for audio and data transfer where feasible
# Disable Bluetooth via ADB for managed devices
adb shell settings put global bluetooth_on 0
adb shell svc bluetooth disable
# Verify Bluetooth is disabled
adb shell settings get global bluetooth_on
# Expected output: 0
# Check current Android security patch level
adb shell getprop ro.build.version.security_patch
# Ensure date is 2024-02-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
