adamfowleruk
commented
3 years ago @pivotal-djoo Please review. Earlier versions still used the PairingFix code.
Open jimmo opened 3 years ago
adamfowleruk
commented
3 years ago @pivotal-djoo Please review. Earlier versions still used the PairingFix code.
jimmo
commented
3 years ago @gkozens @ckitchner Any update?
marcuspridham
commented
3 years ago The issue is waiting on code licensing from Australia to integrate in Herald.
jimmo
commented
3 years ago @gkozens @ckitchner See https://github.com/theheraldproject/herald-for-android/issues/88#issuecomment-854766589
saraalmouaswas
commented
3 years ago Hello @jimmo, thanks for alerting us to this issue. We got confirmation that Herald v2.0.0 will include a [fix] (https://github.com/theheraldproject/herald-for-android/issues/88) to address this. We're working on upgrading Herald in the next version of ABTraceTogether to include this fix and other updates. We do not have exact dates at the moment, so stay tuned for any updates. Thank you for your help on improving ABTraceTogether!
FYI: This repository has no security policy or process for raising security issues. As this is now a well-known issue, just raising a issue instead.
Please see https://github.com/theheraldproject/herald-for-android/issues/88 which was raised in Dec 2020.
This is a very high-severity CVE allowing for:
Google has issued a fix for Android 8+, however it is unpatched on older phones.
The ABTT repo already has already has the code for the mitigation for this in PairingFix.java (from when @alwentiu and I first reported it to AB Health + Deloitte in May 2020), however the mitigation code appears to be now unused since the Herald migration.
It's worth noting that Google's fix for the CVE only stops the silent pairing, so the mitigation (which prevents the pairing altogether) still has some benefit on newer phones too. COVIDSafe shows a prominent notice to warn users from accepting pairing requests.