Herald: No mitigation for CVE-2020-12856 (required for older phones) #11
Comments
|
@pivotal-djoo Please review. Earlier versions still used the PairingFix code. |
|
@gkozens @ckitchner Any update? |
|
The issue is waiting on code licensing from Australia to integrate in Herald. |
|
Hello @jimmo, thanks for alerting us to this issue. We got confirmation that Herald v2.0.0 will include a [fix] (theheraldproject/herald-for-android#88) to address this. We're working on upgrading Herald in the next version of ABTraceTogether to include this fix and other updates. We do not have exact dates at the moment, so stay tuned for any updates. Thank you for your help on improving ABTraceTogether! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
FYI: This repository has no security policy or process for raising security issues. As this is now a well-known issue, just raising a issue instead.
Please see theheraldproject/herald-for-android#88 which was raised in Dec 2020.
This is a very high-severity CVE allowing for:
Google has issued a fix for Android 8+, however it is unpatched on older phones.
The ABTT repo already has already has the code for the mitigation for this in PairingFix.java (from when @alwentiu and I first reported it to AB Health + Deloitte in May 2020), however the mitigation code appears to be now unused since the Herald migration.
It's worth noting that Google's fix for the CVE only stops the silent pairing, so the mitigation (which prevents the pairing altogether) still has some benefit on newer phones too. COVIDSafe shows a prominent notice to warn users from accepting pairing requests.
The text was updated successfully, but these errors were encountered: