Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0002
Multiple vulnerabilities have been identified in Android
prior to Security patch levels of January 05, 2017.
4 January 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Nexus Devices
Operating System: Android
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-0404 CVE-2017-0403 CVE-2017-0402
CVE-2017-0401 CVE-2017-0400 CVE-2017-0399
CVE-2017-0398 CVE-2017-0397 CVE-2017-0396
CVE-2017-0395 CVE-2017-0394 CVE-2017-0393
CVE-2017-0392 CVE-2017-0391 CVE-2017-0390
CVE-2017-0389 CVE-2017-0388 CVE-2017-0387
CVE-2017-0386 CVE-2017-0385 CVE-2017-0384
CVE-2017-0383 CVE-2017-0382 CVE-2017-0381
CVE-2016-9754 CVE-2016-8482 CVE-2016-8475
CVE-2016-8474 CVE-2016-8473 CVE-2016-8472
CVE-2016-8471 CVE-2016-8470 CVE-2016-8469
CVE-2016-8468 CVE-2016-8467 CVE-2016-8466
CVE-2016-8465 CVE-2016-8464 CVE-2016-8463
CVE-2016-8462 CVE-2016-8461 CVE-2016-8460
CVE-2016-8459 CVE-2016-8458 CVE-2016-8457
CVE-2016-8456 CVE-2016-8455 CVE-2016-8454
CVE-2016-8453 CVE-2016-8452 CVE-2016-8451
CVE-2016-8450 CVE-2016-8449 CVE-2016-8448
CVE-2016-8447 CVE-2016-8446 CVE-2016-8445
CVE-2016-8444 CVE-2016-8443 CVE-2016-8442
CVE-2016-8441 CVE-2016-8440 CVE-2016-8439
CVE-2016-8438 CVE-2016-8437 CVE-2016-8436
CVE-2016-8435 CVE-2016-8434 CVE-2016-8433
CVE-2016-8432 CVE-2016-8431 CVE-2016-8430
CVE-2016-8429 CVE-2016-8428 CVE-2016-8427
CVE-2016-8426 CVE-2016-8425 CVE-2016-8424
CVE-2016-8423 CVE-2016-8422 CVE-2016-8415
CVE-2016-8412 CVE-2016-8398 CVE-2016-7042
CVE-2016-5345 CVE-2016-5180 CVE-2016-5080
CVE-2015-5706 CVE-2015-3288 CVE-2014-9420
Member content until: Friday, February 3 2017
Reference: ESB-2017.0029
ESB-2017.0008
ESB-2015.1627
ESB-2015.1626
ESB-2015.1497
OVERVIEW
Multiple vulnerabilities have been identified in Android
prior to Security patch levels of January 05, 2017. [1]
IMPACT
The vendor has provided the following information:
"Security vulnerability summary
The tables below contains a list of security vulnerabilities, the
Common Vulnerability and Exposures ID (CVE), the assessed severity,
and whether or not Google devices are affected. The severity assessment
is based on the effect that exploiting the vulnerability would possibly
have on an affected device, assuming the platform and service
mitigations are disabled for development purposes or if successfully
bypassed.
2017-01-01 security patch level-Vulnerability summary
Security patch levels of 2017-01-01 or later must address the following
issues.
Issue CVE Severity Affects Google devices?
Remote code execution vulnerability in Mediaserver CVE-2017-0381 Critical Yes
Remote code execution vulnerability in c-ares CVE-2016-5180 High Yes
Remote code execution vulnerability in Framesequence CVE-2017-0382 High Yes
Elevation of privilege vulnerability in Framework APIs CVE-2017-0383 High Yes
Elevation of privilege vulnerability in Audioserver CVE-2017-0384, CVE-2017-0385 High Yes
Elevation of privilege vulnerability in libnl CVE-2017-0386 High Yes
Elevation of privilege vulnerability in Mediaserver CVE-2017-0387 High Yes
Information disclosure vulnerability in External Storage Provider CVE-2017-0388 High Yes
Denial of service vulnerability in core networking CVE-2017-0389 High Yes
Denial of service vulnerability in Mediaserver CVE-2017-0390, CVE-2017-0391, CVE-2017-0392, CVE-2017-0393 High Yes
Denial of service vulnerability in Telephony CVE-2017-0394 High Yes
Elevation of privilege vulnerability in Contacts CVE-2017-0395 Moderate Yes
Information disclosure vulnerability in Mediaserver CVE-2017-0396, CVE-2017-0397 Moderate Yes
Information disclosure vulnerability in Audioserver CVE-2017-0398, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402 Moderate Yes
2017-01-05 security patch level-Vulnerability summary
Security patch levels of 2017-01-05 or later must address all of the
2017-01-01 issues, as well as the following issues.
Issue CVE Severity Affects Google devices?
Elevation of privilege vulnerability in kernel memory subsystem CVE-2015-3288 Critical Yes
Elevation of privilege vulnerability in Qualcomm bootloader CVE-2016-8422, CVE-2016-8423 Critical Yes
Elevation of privilege vulnerability in kernel file system CVE-2015-5706 Critical No*
Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2016-8424, CVE-2016-8425, CVE-2016-8426, CVE-2016-8482, Critical Yes
CVE-2016-8427, CVE-2016-8428, CVE-2016-8429, CVE-2016-8430,
CVE-2016-8431, CVE-2016-8432
Elevation of privilege vulnerability in MediaTek driver CVE-2016-8433 Critical No*
Elevation of privilege vulnerability in Qualcomm GPU driver CVE-2016-8434 Critical Yes
Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2016-8435 Critical Yes
Elevation of privilege vulnerability in Qualcomm video driver CVE-2016-8436 Critical No*
Vulnerabilities in Qualcomm components CVE-2016-5080, CVE-2016-8398, CVE-2016-8437, CVE-2016-8438, Critical No*
CVE-2016-8439, CVE-2016-8440, CVE-2016-8441, CVE-2016-8442,
CVE-2016-8443, CVE-2016-8459
Elevation of privilege vulnerability in Qualcomm camera CVE-2016-8412, CVE-2016-8444 High Yes
Elevation of privilege vulnerability in MediaTek components CVE-2016-8445, CVE-2016-8446, CVE-2016-8447, CVE-2016-8448 High No*
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2016-8415 High Yes
Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2016-8449 High Yes
Elevation of privilege vulnerability in Qualcomm sound driver CVE-2016-8450 High Yes
Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2016-8451 High No*
Elevation of privilege vulnerability in kernel security subsystem CVE-2016-7042 High Yes
Elevation of privilege vulnerability in kernel performance subsystem CVE-2017-0403 High Yes
Elevation of privilege vulnerability in kernel sound subsystem CVE-2017-0404 High Yes
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2016-8452 High Yes
Elevation of privilege vulnerability in Qualcomm radio driver CVE-2016-5345 High Yes
Elevation of privilege vulnerability in kernel profiling subsystem CVE-2016-9754 High Yes
Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2016-8453, CVE-2016-8454, CVE-2016-8455, CVE-2016-8456, High Yes
CVE-2016-8457
Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2016-8458 High Yes
Information disclosure vulnerability in NVIDIA video driver CVE-2016-8460 High Yes
Information disclosure vulnerability in bootloader CVE-2016-8461, CVE-2016-8462 High Yes
Denial of service vulnerability in Qualcomm FUSE file system CVE-2016-8463 High No*
Denial of service vulnerability in bootloader CVE-2016-8467 High Yes
Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2016-8464, CVE-2016-8465, CVE-2016-8466 Moderate Yes
Elevation of privilege vulnerability in bootloader CVE-2016-8467 Moderate Yes
Elevation of privilege vulnerability in Binder CVE-2016-8468 Moderate Yes
Information disclosure vulnerability in NVIDIA camera driver CVE-2016-8469 Moderate Yes
Information disclosure vulnerability in MediaTek driver CVE-2016-8470, CVE-2016-8471, CVE-2016-8472 Moderate No*
Information disclosure vulnerability in STMicroelectronics driver CVE-2016-8473, CVE-2016-8474 Moderate Yes
Information disclosure vulnerability in Qualcomm audio post processor CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402 Moderate Yes
Information disclosure vulnerability in HTC input driver CVE-2016-8475 Moderate Yes
Denial of service vulnerability in kernel file system CVE-2014-9420 Moderate Yes
* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability." [1]
MITIGATION
Google advises it has released over-the-air (OTA) updates for Nexus,
and partner updates have been released to the Android Open
Source Project (AOSP). Android users are advised to update to the
latest versions to address these issues. [1]
REFERENCES
[1] Android Security Bulletin-January 2017
https://source.android.com/security/bulletin/2017-01-01.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWGx32Yx+lLeg9Ub1AQh14BAAjXbFKAY4mcSVojEmyAT8UEUoa/NDbCfz
aV/oYBuhCxe1jTfylwEI7K0e5BkQtlYdtZ/Wgk3KbkIqKGjNO1f1taq5t8dkdRF3
Bwxswzk7VytQ587oCSx04Wp8p8gFy/MjtGjJPku2IHUg7hFmpwC1F5QBXYkV2aIC
3hvCeuB3BR8EEa3Qws5kWR/KSh1X7QfsA+S5peVDKMm80o2rOP1y7hAG5D+mWcRg
pqaFVrcl/aZ3OxRn0AS4UzzxXp9PktRUvyB0ow06Nl9ukmR9wReDk8UFjvaYnCQW
YRLZe34XT5WjGY5OGzkw2B1rpr5bRIr+Ne4JXO2mtLWZ0gFIDY3Atvm8QzsmTw3f
WKx05rVfcN/PRw8la/gOKXK5xvZE57VIcFgD6Ro2UP+0SIghlIyrcKAWmiX7fhLG
BSAMgzg/PO9Di8e785HydmWTnPwnVwl2SzfNH7eRZAFXxq+zQLBndLqQlwPxUzWl
urjI5ZhWcvfq8/NHOuOgcOuwiCJXjdjKtJJk6A8qblKCLt4wHkDF/DMgfsn4U/vF
ky5mWHVHxeo549XABrUtVllJW0HFVzCTLQ/1KIzngPVC4IuKCLE7rNZR4yoWPeW0
uKlsELRJgN08zLP0goDgt5W4xKShFmLNFLLHNlkCyf4SCdOcXVGBrE6wSRrtA39q
zL2+n8KwyHs=
=xVfz
-----END PGP SIGNATURE-----