Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0080
Multiple vulnerabilities have been identified in Android
prior to security patch level string 2017-06-05.
6 June 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Nexus devices
Operating System: Android
Impact/Access: Root Compromise -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-8242 CVE-2017-8241 CVE-2017-8240
CVE-2017-8239 CVE-2017-8237 CVE-2017-8236
CVE-2017-8235 CVE-2017-8234 CVE-2017-8233
CVE-2017-7376 CVE-2017-7375 CVE-2017-7373
CVE-2017-7372 CVE-2017-7371 CVE-2017-7370
CVE-2017-7369 CVE-2017-7368 CVE-2017-7367
CVE-2017-7366 CVE-2017-7365 CVE-2017-7364
CVE-2017-6421 CVE-2017-6248 CVE-2017-6247
CVE-2017-5056 CVE-2017-0663 CVE-2017-0651
CVE-2017-0650 CVE-2017-0649 CVE-2017-0648
CVE-2017-0647 CVE-2017-0646 CVE-2017-0645
CVE-2017-0644 CVE-2017-0643 CVE-2017-0642
CVE-2017-0641 CVE-2017-0640 CVE-2017-0639
CVE-2017-0638 CVE-2017-0637 CVE-2017-0636
CVE-2017-0391 CVE-2016-10342 CVE-2016-10341
CVE-2016-10340 CVE-2016-10339 CVE-2016-10338
CVE-2016-10337 CVE-2016-10336 CVE-2016-10335
CVE-2016-10334 CVE-2016-10333 CVE-2016-10332
CVE-2016-10299 CVE-2016-10298 CVE-2016-8332
CVE-2016-5864 CVE-2016-5861 CVE-2016-5131
CVE-2016-4658 CVE-2016-1839 CVE-2015-9033
CVE-2015-9032 CVE-2015-9031 CVE-2015-9030
CVE-2015-9029 CVE-2015-9028 CVE-2015-9027
CVE-2015-9026 CVE-2015-9025 CVE-2015-9024
CVE-2015-9023 CVE-2015-9022 CVE-2015-9021
CVE-2015-9020 CVE-2015-9015 CVE-2015-9014
CVE-2015-9013 CVE-2015-9012 CVE-2015-9011
CVE-2015-9010 CVE-2015-9009 CVE-2015-9008
CVE-2015-8871 CVE-2015-7995 CVE-2014-9967
CVE-2014-9966 CVE-2014-9965 CVE-2014-9964
CVE-2014-9963 CVE-2014-9962 CVE-2014-9961
CVE-2014-9960 CVE-2014-9959 CVE-2014-9958
CVE-2014-9957 CVE-2014-9956 CVE-2014-9955
CVE-2014-9954 CVE-2014-9953
Member content until: Thursday, July 6 2017
Reference: ASB-2017.0030
ASB-2017.0012
ESB-2016.0140
ESB-2016.0139
OVERVIEW
Multiple vulnerabilities have been identified in Android
prior to security patch level string 2017-06-05. [1]
IMPACT
The vendor has provided the following information:
"2017-06-01 security patch level—Vulnerability details:
CVE References Type Severity Updated AOSP versions
CVE-2017-0639 A-35310991 ID High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0645 A-35385327 EoP Moderate 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0646 A-33899337 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE References Type Severity Updated AOSP versions
CVE-2015-8871 A-35443562 RCE High 5.0.2, 5.1.1, 6.0, 6.0.1
CVE-2016-8332 A-37761553 RCE High 5.0.2, 5.1.1, 6.0, 6.0.1
CVE-2016-5131 A-36554209 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2016-4658 A-36554207 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0663 A-37104170 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-7376 A-36555370 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-5056 A-36809819 RCE Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-7375 A-36556310 RCE Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0647 A-36392138 ID Moderate 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2016-1839 A-36553781 DoS Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE References Type Severity Updated AOSP versions
CVE-2017-0637 A-34064500 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0391 A-32322258 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0640 A-33129467 DoS High 6.0, 6.0.1, 7.0, 7.1.1
CVE-2017-0641 A-34360591 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0642 A-34819017 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0643 A-35645051 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1
CVE-2017-0644 A-35472997 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1
CVE References Type Severity Updated AOSP versions
CVE-2017-0638 A-36368305 RCE High 7.1.1, 7.1.2
2017-06-05 security patch level-Vulnerability details:
CVE References Type Severity Component
CVE-2017-0648 A-36101220* EoP High FIQ debugger
CVE-2017-0651 A-35644815* ID Low ION subsystem
CVE References Type Severity Updated AOSP versions
CVE-2015-7995 A-36810065 ID Moderate 4.4.4
CVE References Type Severity Component
CVE-2017-0636 A-35310230* EoP High Command queue driver
M-ALPS03162263
CVE-2017-0649 A-34468195* EoP Moderate Sound driver
M-ALPS03162283
CVE References Type Severity Component
CVE-2017-6247 A-34386301* EoP High Sound driver
N-CVE-2017-6247
CVE-2017-6248 A-34372667* EoP Moderate Sound driver
N-CVE-2017-6248
CVE References Type Severity Component
CVE-2017-7371 A-36250786 RCE Critical Bluetooth driver
QC-CR#1101054
CVE-2017-7365 A-32449913 EoP High Bootloader
QC-CR#1017009
CVE-2017-7366 A-36252171 EoP High GPU driver
QC-CR#1036161 [2]
CVE-2017-7367 A-34514708 DoS High Bootloader
QC-CR#1008421
CVE-2016-5861 A-36251375 EoP Moderate Video driver
QC-CR#1103510
CVE-2016-5864 A-36251231 EoP Moderate Sound driver
QC-CR#1105441
CVE-2017-6421 A-36251986 EoP Moderate MStar touchscreen driver
QC-CR#1110563
CVE-2017-7364 A-36252179 EoP Moderate Video driver
QC-CR#1113926
CVE-2017-7368 A-33452365 EoP Moderate Sound driver
QC-CR#1103085
CVE-2017-7369 A-33751424 EoP Moderate Sound driver
QC-CR#2009216 [2]
CVE-2017-7370 A-34328139 EoP Moderate Video driver
QC-CR#2006159
CVE-2017-7372 A-36251497 EoP Moderate Video driver
QC-CR#1110068
CVE-2017-7373 A-36251984 EoP Moderate Video driver
QC-CR#1090244
CVE-2017-8233 A-34621613 EoP Moderate Camera driver
QC-CR#2004036
CVE-2017-8234 A-36252121 EoP Moderate Camera driver
QC-CR#832920
CVE-2017-8235 A-36252376 EoP Moderate Camera driver
QC-CR#1083323
CVE-2017-8236 A-35047217 EoP Moderate IPA driver
QC-CR#2009606
CVE-2017-8237 A-36252377 EoP Moderate Networking driver
QC-CR#1110522
CVE-2017-8242 A-34327981 EoP Moderate Secure execution environment communication driver
QC-CR#2009231
CVE-2017-8239 A-36251230 ID Moderate Camera driver
QC-CR#1091603
CVE-2017-8240 A-36251985 ID Moderate Pin controller driver
QC-CR#856379
CVE-2017-8241 A-34203184 ID Low Wi-Fi driver
QC-CR#1069175
CVE References Type Severity Component
CVE-2017-0650 A-35472278* EoP Low Touchscreen driver
CVE References Type Severity Component
CVE-2014-9960 A-37280308* N/A Critical Closed-source component
QC-CR#381837
CVE-2014-9961 A-37279724* N/A Critical Closed-source component
QC-CR#581093
CVE-2014-9953 A-36714770* N/A Critical Closed-source component
QC-CR#642173
CVE-2014-9967 A-37281466* N/A Critical Closed-source component
QC-CR#739110
CVE-2015-9026 A-37277231* N/A Critical Closed-source component
QC-CR#748397
CVE-2015-9027 A-37279124* N/A Critical Closed-source component
QC-CR#748407
CVE-2015-9008 A-36384689* N/A Critical Closed-source component
QC-CR#762111
CVE-2015-9009 A-36393600* N/A Critical Closed-source component
QC-CR#762182
CVE-2015-9010 A-36393101* N/A Critical Closed-source component
QC-CR#758752
CVE-2015-9011 A-36714882* N/A Critical Closed-source component
QC-CR#762167
CVE-2015-9024 A-37265657* N/A Critical Closed-source component
QC-CR#740680
CVE-2015-9012 A-36384691* N/A Critical Closed-source component
QC-CR#746617
CVE-2015-9013 A-36393251* N/A Critical Closed-source component
QC-CR#814373
CVE-2015-9014 A-36393750* N/A Critical Closed-source component
QC-CR#855220
CVE-2015-9015 A-36714120* N/A Critical Closed-source component
QC-CR#701858
CVE-2015-9029 A-37276981* N/A Critical Closed-source component
QC-CR#827837
CVE-2016-10338 A-37277738* N/A Critical Closed-source component
QC-CR#987699
CVE-2016-10336 A-37278436* N/A Critical Closed-source component
QC-CR#973605
CVE-2016-10333 A-37280574* N/A Critical Closed-source component
QC-CR#947438
CVE-2016-10341 A-37281667* N/A Critical Closed-source component
QC-CR#991476
CVE-2016-10335 A-37282802* N/A Critical Closed-source component
QC-CR#961142
CVE-2016-10340 A-37280614* N/A Critical Closed-source component
QC-CR#989028
CVE-2016-10334 A-37280664* N/A Critical Closed-source component
QC-CR#949933
CVE-2016-10339 A-37280575* N/A Critical Closed-source component
QC-CR#988502
CVE-2016-10298 A-36393252* N/A Critical Closed-source component
QC-CR#1020465
CVE-2016-10299 A-32577244* N/A Critical Closed-source component
QC-CR#1058511
CVE-2014-9954 A-36388559* N/A High Closed-source component
QC-CR#552880
CVE-2014-9955 A-36384686* N/A High Closed-source component
QC-CR#622701
CVE-2014-9956 A-36389611* N/A High Closed-source component
QC-CR#638127
CVE-2014-9957 A-36387564* N/A High Closed-source component
QC-CR#638984
CVE-2014-9958 A-36384774* N/A High Closed-source component
QC-CR#638135
CVE-2014-9962 A-37275888* N/A High Closed-source component
QC-CR#656267
CVE-2014-9963 A-37276741* N/A High Closed-source component
QC-CR#657771
CVE-2014-9959 A-36383694* N/A High Closed-source component
QC-CR#651900
CVE-2014-9964 A-37280321* N/A High Closed-source component
QC-CR#680778
CVE-2014-9965 A-37278233* N/A High Closed-source component
QC-CR#711585
CVE-2014-9966 A-37282854* N/A High Closed-source component
QC-CR#727398
CVE-2015-9023 A-37276138* N/A High Closed-source component
QC-CR#739802
CVE-2015-9020 A-37276742* N/A High Closed-source component
QC-CR#733455
CVE-2015-9021 A-37276743* N/A High Closed-source component
QC-CR#735148
CVE-2015-9025 A-37276744* N/A High Closed-source component
QC-CR#743985
CVE-2015-9022 A-37280226* N/A High Closed-source component
QC-CR#736146
CVE-2015-9028 A-37277982* N/A High Closed-source component
QC-CR#762764
CVE-2015-9031 A-37275889* N/A High Closed-source component
QC-CR#866015
CVE-2015-9032 A-37279125* N/A High Closed-source component
QC-CR#873202
CVE-2015-9033 A-37276139* N/A High Closed-source component
QC-CR#892541
CVE-2015-9030 A-37282907* N/A High Closed-source component
QC-CR#854667
CVE-2016-10332 A-37282801* N/A High Closed-source component
QC-CR#906713
QC-CR#917701
QC-CR#917702
CVE-2016-10337 A-37280665* N/A High Closed-source component
QC-CR#977632
CVE-2016-10342 A-37281763* N/A High Closed-source component
QC-CR#988941
" [1]
MITIGATION
Google advises it has released over-the-air (OTA) updates for Nexus,
and partner updates have been released to the Android Open Source
Project (AOSP). Android users are advised to update to the latest
versions to address these issues. [1]
REFERENCES
[1] Android Security Bulletin - June 2017
https://source.android.com/security/bulletin/2017-06-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWTY7t4x+lLeg9Ub1AQgXWQ/6AnlkLqFuu/3pAeqfp0PVMB+jkE57E5BR
NWKmazBSAQfFvgrOFKTDiclarGak2zxZ2XSh5Ux7GwLzwVVsVcUO1uruxiZ0F2nI
h08UIZdaxRjXCKoH/h6s5YPwH8FPS192ofCknKjK8XOLNyOtalc47/ZVmw6GEOfh
flYn/eZjQ1Rtff2On7KrtuBSXQTNdv3t4z7uQbyVSZdUnjW+0w8aqMYPy1gxrqci
L8ZNz6d0SPhLZPk7wKFPKEsM29JNqny6Ja1NHU+n4RW9Jvuuq3UrxcNr5SXfzbKg
OxJIFctBK00UkcubQYop1SJ2skxWdsTOTJfg4ATwjP7LHiIrAx1RgfZo9AE9v/Ij
vjE1jKfQuc9ZCPF+5b4XyXCcgra5OSWGTdTgFN4+3MQrOSPLM9Q8Sy/f+QVm6ej0
i82uCGsh4JZeeJpJB86f2SyUIkoRITyY0c/cHPyiKml3X4fHqIf8WhqQjULUSKro
jbWYVHYi+UawReu1QWhgLS7FYmdFmmvNcPCJUQuLgPRCw5l2wFqCT8g+kzqE+uX0
5R/Y7EPCNMowMpCwrVBDc5E3xJftSf0PWCmLtY7XcIZ118R+EsFJJP2Mq75Xp+in
fdZ48Pp9+RtBq42U+E/vdPVf8rU8Ven6DNpq5lIq1lpUxWlB33/rXUx432pQNAuL
Zbt6HTVvvUE=
=QMX0
-----END PGP SIGNATURE-----