Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0002 Multiple vulnerabilities have been identified in Android prior to Security patch levels of January 05, 2017. 4 January 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Nexus Devices Operating System: Android Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-0404 CVE-2017-0403 CVE-2017-0402 CVE-2017-0401 CVE-2017-0400 CVE-2017-0399 CVE-2017-0398 CVE-2017-0397 CVE-2017-0396 CVE-2017-0395 CVE-2017-0394 CVE-2017-0393 CVE-2017-0392 CVE-2017-0391 CVE-2017-0390 CVE-2017-0389 CVE-2017-0388 CVE-2017-0387 CVE-2017-0386 CVE-2017-0385 CVE-2017-0384 CVE-2017-0383 CVE-2017-0382 CVE-2017-0381 CVE-2016-9754 CVE-2016-8482 CVE-2016-8475 CVE-2016-8474 CVE-2016-8473 CVE-2016-8472 CVE-2016-8471 CVE-2016-8470 CVE-2016-8469 CVE-2016-8468 CVE-2016-8467 CVE-2016-8466 CVE-2016-8465 CVE-2016-8464 CVE-2016-8463 CVE-2016-8462 CVE-2016-8461 CVE-2016-8460 CVE-2016-8459 CVE-2016-8458 CVE-2016-8457 CVE-2016-8456 CVE-2016-8455 CVE-2016-8454 CVE-2016-8453 CVE-2016-8452 CVE-2016-8451 CVE-2016-8450 CVE-2016-8449 CVE-2016-8448 CVE-2016-8447 CVE-2016-8446 CVE-2016-8445 CVE-2016-8444 CVE-2016-8443 CVE-2016-8442 CVE-2016-8441 CVE-2016-8440 CVE-2016-8439 CVE-2016-8438 CVE-2016-8437 CVE-2016-8436 CVE-2016-8435 CVE-2016-8434 CVE-2016-8433 CVE-2016-8432 CVE-2016-8431 CVE-2016-8430 CVE-2016-8429 CVE-2016-8428 CVE-2016-8427 CVE-2016-8426 CVE-2016-8425 CVE-2016-8424 CVE-2016-8423 CVE-2016-8422 CVE-2016-8415 CVE-2016-8412 CVE-2016-8398 CVE-2016-7042 CVE-2016-5345 CVE-2016-5180 CVE-2016-5080 CVE-2015-5706 CVE-2015-3288 CVE-2014-9420 Member content until: Friday, February 3 2017 Reference: ESB-2017.0029 ESB-2017.0008 ESB-2015.1627 ESB-2015.1626 ESB-2015.1497 OVERVIEW Multiple vulnerabilities have been identified in Android prior to Security patch levels of January 05, 2017. [1] IMPACT The vendor has provided the following information: "Security vulnerability summary The tables below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not Google devices are affected. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed. 2017-01-01 security patch level-Vulnerability summary Security patch levels of 2017-01-01 or later must address the following issues. Issue CVE Severity Affects Google devices? Remote code execution vulnerability in Mediaserver CVE-2017-0381 Critical Yes Remote code execution vulnerability in c-ares CVE-2016-5180 High Yes Remote code execution vulnerability in Framesequence CVE-2017-0382 High Yes Elevation of privilege vulnerability in Framework APIs CVE-2017-0383 High Yes Elevation of privilege vulnerability in Audioserver CVE-2017-0384, CVE-2017-0385 High Yes Elevation of privilege vulnerability in libnl CVE-2017-0386 High Yes Elevation of privilege vulnerability in Mediaserver CVE-2017-0387 High Yes Information disclosure vulnerability in External Storage Provider CVE-2017-0388 High Yes Denial of service vulnerability in core networking CVE-2017-0389 High Yes Denial of service vulnerability in Mediaserver CVE-2017-0390, CVE-2017-0391, CVE-2017-0392, CVE-2017-0393 High Yes Denial of service vulnerability in Telephony CVE-2017-0394 High Yes Elevation of privilege vulnerability in Contacts CVE-2017-0395 Moderate Yes Information disclosure vulnerability in Mediaserver CVE-2017-0396, CVE-2017-0397 Moderate Yes Information disclosure vulnerability in Audioserver CVE-2017-0398, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402 Moderate Yes 2017-01-05 security patch level-Vulnerability summary Security patch levels of 2017-01-05 or later must address all of the 2017-01-01 issues, as well as the following issues. Issue CVE Severity Affects Google devices? Elevation of privilege vulnerability in kernel memory subsystem CVE-2015-3288 Critical Yes Elevation of privilege vulnerability in Qualcomm bootloader CVE-2016-8422, CVE-2016-8423 Critical Yes Elevation of privilege vulnerability in kernel file system CVE-2015-5706 Critical No* Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2016-8424, CVE-2016-8425, CVE-2016-8426, CVE-2016-8482, Critical Yes CVE-2016-8427, CVE-2016-8428, CVE-2016-8429, CVE-2016-8430, CVE-2016-8431, CVE-2016-8432 Elevation of privilege vulnerability in MediaTek driver CVE-2016-8433 Critical No* Elevation of privilege vulnerability in Qualcomm GPU driver CVE-2016-8434 Critical Yes Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2016-8435 Critical Yes Elevation of privilege vulnerability in Qualcomm video driver CVE-2016-8436 Critical No* Vulnerabilities in Qualcomm components CVE-2016-5080, CVE-2016-8398, CVE-2016-8437, CVE-2016-8438, Critical No* CVE-2016-8439, CVE-2016-8440, CVE-2016-8441, CVE-2016-8442, CVE-2016-8443, CVE-2016-8459 Elevation of privilege vulnerability in Qualcomm camera CVE-2016-8412, CVE-2016-8444 High Yes Elevation of privilege vulnerability in MediaTek components CVE-2016-8445, CVE-2016-8446, CVE-2016-8447, CVE-2016-8448 High No* Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2016-8415 High Yes Elevation of privilege vulnerability in NVIDIA GPU driver CVE-2016-8449 High Yes Elevation of privilege vulnerability in Qualcomm sound driver CVE-2016-8450 High Yes Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2016-8451 High No* Elevation of privilege vulnerability in kernel security subsystem CVE-2016-7042 High Yes Elevation of privilege vulnerability in kernel performance subsystem CVE-2017-0403 High Yes Elevation of privilege vulnerability in kernel sound subsystem CVE-2017-0404 High Yes Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2016-8452 High Yes Elevation of privilege vulnerability in Qualcomm radio driver CVE-2016-5345 High Yes Elevation of privilege vulnerability in kernel profiling subsystem CVE-2016-9754 High Yes Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2016-8453, CVE-2016-8454, CVE-2016-8455, CVE-2016-8456, High Yes CVE-2016-8457 Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2016-8458 High Yes Information disclosure vulnerability in NVIDIA video driver CVE-2016-8460 High Yes Information disclosure vulnerability in bootloader CVE-2016-8461, CVE-2016-8462 High Yes Denial of service vulnerability in Qualcomm FUSE file system CVE-2016-8463 High No* Denial of service vulnerability in bootloader CVE-2016-8467 High Yes Elevation of privilege vulnerability in Broadcom Wi-Fi driver CVE-2016-8464, CVE-2016-8465, CVE-2016-8466 Moderate Yes Elevation of privilege vulnerability in bootloader CVE-2016-8467 Moderate Yes Elevation of privilege vulnerability in Binder CVE-2016-8468 Moderate Yes Information disclosure vulnerability in NVIDIA camera driver CVE-2016-8469 Moderate Yes Information disclosure vulnerability in MediaTek driver CVE-2016-8470, CVE-2016-8471, CVE-2016-8472 Moderate No* Information disclosure vulnerability in STMicroelectronics driver CVE-2016-8473, CVE-2016-8474 Moderate Yes Information disclosure vulnerability in Qualcomm audio post processor CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402 Moderate Yes Information disclosure vulnerability in HTC input driver CVE-2016-8475 Moderate Yes Denial of service vulnerability in kernel file system CVE-2014-9420 Moderate Yes * Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability." [1] MITIGATION Google advises it has released over-the-air (OTA) updates for Nexus, and partner updates have been released to the Android Open Source Project (AOSP). Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Android Security Bulletin-January 2017 https://source.android.com/security/bulletin/2017-01-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWGx32Yx+lLeg9Ub1AQh14BAAjXbFKAY4mcSVojEmyAT8UEUoa/NDbCfz aV/oYBuhCxe1jTfylwEI7K0e5BkQtlYdtZ/Wgk3KbkIqKGjNO1f1taq5t8dkdRF3 Bwxswzk7VytQ587oCSx04Wp8p8gFy/MjtGjJPku2IHUg7hFmpwC1F5QBXYkV2aIC 3hvCeuB3BR8EEa3Qws5kWR/KSh1X7QfsA+S5peVDKMm80o2rOP1y7hAG5D+mWcRg pqaFVrcl/aZ3OxRn0AS4UzzxXp9PktRUvyB0ow06Nl9ukmR9wReDk8UFjvaYnCQW YRLZe34XT5WjGY5OGzkw2B1rpr5bRIr+Ne4JXO2mtLWZ0gFIDY3Atvm8QzsmTw3f WKx05rVfcN/PRw8la/gOKXK5xvZE57VIcFgD6Ro2UP+0SIghlIyrcKAWmiX7fhLG BSAMgzg/PO9Di8e785HydmWTnPwnVwl2SzfNH7eRZAFXxq+zQLBndLqQlwPxUzWl urjI5ZhWcvfq8/NHOuOgcOuwiCJXjdjKtJJk6A8qblKCLt4wHkDF/DMgfsn4U/vF ky5mWHVHxeo549XABrUtVllJW0HFVzCTLQ/1KIzngPVC4IuKCLE7rNZR4yoWPeW0 uKlsELRJgN08zLP0goDgt5W4xKShFmLNFLLHNlkCyf4SCdOcXVGBrE6wSRrtA39q zL2+n8KwyHs= =xVfz -----END PGP SIGNATURE-----