Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0103 Multiple vulnerabilities have been identified in Android 9 November 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Nexus devices Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-7917 CVE-2016-7916 CVE-2016-7915 CVE-2016-7914 CVE-2016-7913 CVE-2016-7912 CVE-2016-7911 CVE-2016-7910 CVE-2016-6828 CVE-2016-6754 CVE-2016-6753 CVE-2016-6752 CVE-2016-6751 CVE-2016-6750 CVE-2016-6749 CVE-2016-6748 CVE-2016-6747 CVE-2016-6746 CVE-2016-6745 CVE-2016-6744 CVE-2016-6743 CVE-2016-6742 CVE-2016-6738 CVE-2016-6737 CVE-2016-6736 CVE-2016-6735 CVE-2016-6734 CVE-2016-6733 CVE-2016-6732 CVE-2016-6731 CVE-2016-6730 CVE-2016-6729 CVE-2016-6728 CVE-2016-6727 CVE-2016-6726 CVE-2016-6725 CVE-2016-6724 CVE-2016-6723 CVE-2016-6722 CVE-2016-6721 CVE-2016-6720 CVE-2016-6719 CVE-2016-6718 CVE-2016-6717 CVE-2016-6716 CVE-2016-6715 CVE-2016-6714 CVE-2016-6713 CVE-2016-6712 CVE-2016-6711 CVE-2016-6710 CVE-2016-6709 CVE-2016-6708 CVE-2016-6707 CVE-2016-6706 CVE-2016-6705 CVE-2016-6704 CVE-2016-6703 CVE-2016-6702 CVE-2016-6701 CVE-2016-6700 CVE-2016-6699 CVE-2016-6698 CVE-2016-6136 CVE-2016-5300 CVE-2016-5195 CVE-2016-3907 CVE-2016-3906 CVE-2016-3904 CVE-2016-2184 CVE-2016-0718 CVE-2015-8964 CVE-2015-8963 CVE-2015-8962 CVE-2015-8961 CVE-2015-1283 CVE-2015-0410 CVE-2014-9908 CVE-2014-9675 CVE-2012-6702 Member content until: Friday, December 9 2016 Reference: ASB-2016.0081 ASB-2016.0075 ESB-2015.0146 OVERVIEW Multiple vulnerabilities have been identified in Android prior to Security patch levels of November 06, 2016. [1] IMPACT The vendor has provided the following information: "2016-11-01 security patch level—Vulnerability summary Security patch levels of 2016-11-01 or later must address the following issues. Issue CVE Severity Affects Google devices? Remote code execution vulnerability in Mediaserver CVE-2016-6699 Critical Yes Elevation of privilege vulnerability in libzipfile CVE-2016-6700 Critical No* Remote code execution vulnerability in Skia CVE-2016-6701 High Yes Remote code execution vulnerability in libjpeg CVE-2016-6702 High No* Remote code execution vulnerability in Android runtime CVE-2016-6703 High No* Elevation of privilege vulnerability in Mediaserver CVE-2016-6704, CVE-2016-6705, CVE-2016-6706 High Yes Elevation of privilege vulnerability in System Server CVE-2016-6707 High Yes Elevation of privilege vulnerability in System UI CVE-2016-6708 High Yes Information disclosure vulnerability in Conscrypt CVE-2016-6709 High Yes Information disclosure vulnerability in download manager CVE-2016-6710 High Yes Denial of service vulnerability in Bluetooth CVE-2014-9908 High No* Denial of service vulnerability in OpenJDK CVE-2015-0410 High Yes Denial of service vulnerability in Mediaserver CVE-2016-6711, CVE-2016-6712, CVE-2016-6713, CVE-2016-6714 High Yes Elevation of privilege vulnerability in Framework APIs CVE-2016-6715 Moderate Yes Elevation of privilege vulnerability in AOSP Launcher CVE-2016-6716 Moderate Yes Elevation of privilege vulnerability in Mediaserver CVE-2016-6717 Moderate Yes Elevation of privilege vulnerability in Account Manager Service CVE-2016-6718 Moderate Yes Elevation of privilege vulnerability in Bluetooth CVE-2016-6719 Moderate Yes Information disclosure vulnerability in Mediaserver CVE-2016-6720, CVE-2016-6721, CVE-2016-6722 Moderate Yes Denial of service vulnerability in Proxy Auto Config CVE-2016-6723 Moderate Yes Denial of service vulnerability in Input Manager Service CVE-2016-6724 Moderate Yes * Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. 2016-11-05 security patch level—Vulnerability summary Security patch levels of 2016-11-05 or later must address all of the 2016-11-01 issues, as well as the following issues. Issue CVE Severity Affects Google devices? Remote code execution vulnerability in Qualcomm crypto driver CVE-2016-6725 Critical Yes Elevation of privilege vulnerability in kernel file system CVE-2015-8961, CVE-2016-7910, CVE-2016-7911 Critical Yes Elevation of privilege vulnerability in kernel SCSI driver CVE-2015-8962 Critical Yes Elevation of privilege vulnerability in kernel media driver CVE-2016-7913 Critical Yes Elevation of privilege vulnerability in kernel USB driver CVE-2016-7912 Critical Yes Elevation of privilege vulnerability in kernel ION subsystem CVE-2016-6728 Critical Yes Elevation of privilege vulnerability in Qualcomm bootloader CVE-2016-6729 Critical Yes Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2016-6730, CVE-2016-6731, CVE-2016-6732, CVE-2016-6733, CVE-2016-6734, CVE-2016-6735, CVE-2016-6736 Critical Yes Elevation of privilege vulnerability in kernel networking subsystem CVE-2016-6828 Critical Yes Elevation of privilege vulnerability in kernel sound subsystem CVE-2016-2184 Critical Yes Elevation of privilege vulnerability in kernel ION subsystem CVE-2016-6737 Critical Yes Vulnerabilities in Qualcomm components CVE-2016-6726, CVE-2016-6727 Critical Yes Remote code execution vulnerability in Expat CVE-2016-0718, CVE-2012-6702, CVE-2016-5300, CVE-2015-1283 High No* Remote code execution vulnerability in Webview CVE-2016-6754 High No* Remote code execution vulnerability in Freetype CVE-2014-9675 High No* Elevation of privilege vulnerability in kernel performance subsystem CVE-2015-8963 High Yes Elevation of privilege vulnerability in kernel system-call auditing subsystem CVE-2016-6136 High Yes Elevation of privilege vulnerability in Qualcomm crypto engine driver CVE-2016-6738 High Yes Elevation of privilege vulnerability in Qualcomm bus driver CVE-2016-3904 High Yes Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2016-6742, CVE-2016-6744, CVE-2016-6745, CVE-2016-6743 High Yes Information disclosure vulnerability in kernel components CVE-2015-8964, CVE-2016-7914, CVE-2016-7915, CVE-2016-7916 High Yes Information disclosure vulnerability in NVIDIA GPU driver CVE-2016-6746 High Yes Denial of service vulnerability in Mediaserver CVE-2016-6747 High Yes Information disclosure vulnerability in kernel components CVE-2016-6753, CVE-2016-7917 Moderate Yes Information disclosure vulnerability in Qualcomm components CVE-2016-6748, CVE-2016-6749, CVE-2016-6750, CVE-2016-3906, CVE-2016-3907, CVE-2016-6698, CVE-2016-6751, CVE-2016-6752 Moderate Yes * Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. 2016-11-06 security patch level—Vulnerability summary Security patch levels of 2016-11-06 or later must address all of the 2016-11-05 and 2016-11-01 issues, as well as the following issues. Issue CVE Severity Affects Google devices? Elevation of privilege vulnerability in kernel memory subsystem CVE-2016-5195 Critical Yes" [1] MITIGATION Google advises it has released over-the-air (OTA) updates for Nexus, and partner updates have been released to the Android Open Source Project (AOSP). Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Android Security Bulletin—November 2016 https://source.android.com/security/bulletin/2016-11-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWCKKoIx+lLeg9Ub1AQgNIA/+NdmLS71QUcxS5pFcZpciNvNB9QmxCe6L XfSbW7Qzhvc8Iv9iYMYjRkwTjCKbXCyCkWIs4B8pnW4QJUcVj0YEZTGc9l+Vglk3 aPGGNQ5uvAqVUoUjXOCHSQGv9/KZTIAsmRs8IwdoP5w+QW4PqSRFgmZA75V2pnKJ Aq8QzobYbdd4esMWmI7vDP7A7QWNl19dwjEthDEq9W6Xe6HSfM0PKRZfT2pbKTwg qq6pJA44ZxSJslYHQbNK/rkaRz3o8x/XaMF3eKv4YwX+agWjV+BfUC73P3htbblj IU9ZykqqvIH8m7bYvppXICqZD/ThBkMmzjuPJG1uPMOcHgkLsXr39Bxkg7CGJKXV BJeNkOTm4KHhuHOBzW53Acm1O4ggjUqMlnD0A2HiMDOcKjNoNWwjj82abbBF7Oie lyDfvIz5qDqFkss5WMtfKWs52Jht8qrLIFdKg5hh7tLsVcTdDohEdWcvc1ILbNHF ODvETX5pg4oOUkZMuatE9anN/PrveVMJsv49oDp5SBHuDeb4KlOx9sW8WgFMgOdy F9RMwoEypDkeP811qbN0P29K44DfHFNZ+UUg7EcpjuvTukGHRxCLJHSaKDOKAjBJ Bl3BqxnSHSa6+0Q0vKuXAPPq/HbC9srGUZgXBINi990jvK/PgTjBVBV3MIN8Oh87 F+akbD0wlFE= =qXKi -----END PGP SIGNATURE-----