{"id":"ASB-A-201660636","details":"In startLegacyVpnPrivileged of Vpn.java, there is a possible way to retrieve VPN credentials due to a protocol downgrade attack. This could lead to remote escalation of privilege if a malicious Wi-Fi AP is used, with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-201660636","CVE-2022-20145"],"modified":"2026-04-17T15:55:28.020024Z","published":"2022-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-06-01"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L-next:0"},{"fixed":"12L-next:2022-06-01"}]}],"versions":["12L-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/997a4a39268b4f3af7ccc388269b5eb1972d3624"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/connectivity/Vpn.java","function":"startLegacyVpnPrivileged"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-201660636-778b43c5","digest":{"length":4238,"function_hash":"181908655664340743310836410909499747456"},"source":"https://android.googlesource.com/platform/frameworks/base/+/997a4a39268b4f3af7ccc388269b5eb1972d3624","deprecated":false,"match_only_versions":["12L-next"]},{"target":{"file":"services/core/java/com/android/server/connectivity/Vpn.java"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-201660636-808b70d9","digest":{"threshold":0.9,"line_hashes":["310420844565035605711898439638995842787","141694103092497877505817561513087308202","91151349295014701793357698726701859332","143298619551031351133583037249021244398"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/997a4a39268b4f3af7ccc388269b5eb1972d3624","deprecated":false,"match_only_versions":["12L-next"]}],"types":["EoP"],"spl":"2022-06-01","severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-201660636.json"}},{"package":{"name":"platform/packages/modules/Connectivity","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L-next:0"},{"fixed":"12L-next:2022-06-01"}]}],"versions":["12L-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/modules/Connectivity/+/c8b753a3aa42b101793a27916016d03785827401"],"types":["EoP"],"spl":"2022-06-01","severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-201660636.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-06-01"}]}],"versions":["11"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4f319df8ff5a4b9f2bc62cb17df972e40b57fc81"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/connectivity/Vpn.java"},"signature_type":"Line","id":"ASB-A-201660636-235344a7","digest":{"threshold":0.9,"line_hashes":["156891270955903780043775609290162233815","133982004637884660116241644810161162033","91151349295014701793357698726701859332","143298619551031351133583037249021244398"]},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4f319df8ff5a4b9f2bc62cb17df972e40b57fc81"},{"target":{"file":"services/core/java/com/android/server/connectivity/Vpn.java","function":"startLegacyVpnPrivileged"},"signature_type":"Function","id":"ASB-A-201660636-515cac60","digest":{"length":4033,"function_hash":"19316691569686554789825456265325068290"},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4f319df8ff5a4b9f2bc62cb17df972e40b57fc81"}],"types":["EoP"],"spl":"2022-06-01","severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-201660636.json"}}],"schema_version":"1.7.5"}