Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0127 Multiple vulnerabilities have been identified in Android prior to security patch level string 2017-06-05. 8 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Nexus devices Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-10663 CVE-2017-10662 CVE-2017-10661 CVE-2017-9691 CVE-2017-9684 CVE-2017-9682 CVE-2017-9678 CVE-2017-0750 CVE-2017-0749 CVE-2017-0747 CVE-2017-0746 CVE-2017-0745 CVE-2017-0742 CVE-2017-0741 CVE-2017-0740 CVE-2017-0739 CVE-2017-0738 CVE-2017-0737 CVE-2017-0736 CVE-2017-0735 CVE-2017-0734 CVE-2017-0733 CVE-2017-0732 CVE-2017-0731 CVE-2017-0730 CVE-2017-0729 CVE-2017-0728 CVE-2017-0727 CVE-2017-0726 CVE-2017-0725 CVE-2017-0724 CVE-2017-0723 CVE-2017-0722 CVE-2017-0721 CVE-2017-0720 CVE-2017-0719 CVE-2017-0718 CVE-2017-0716 CVE-2017-0715 CVE-2017-0714 CVE-2017-0713 CVE-2017-0712 Member content until: Thursday, September 7 2017 OVERVIEW Multiple vulnerabilities have been identified in Android prior to security patch level strings 2017-08-01 and 2017-08-05. [1] IMPACT The vendor has provided the following information: " 2017-08-01 security patch level - Vulnerability details CVE References Type Severity Updated AOSP versions CVE-2017-0712 A-37207928 EoP Moderate 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE References Type Severity Updated AOSP versions CVE-2017-0713 A-32096780 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE References Type Severity Updated AOSP versions CVE-2017-0714 A-36492637 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0715 A-36998372 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0716 A-37203196 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0718 A-37273547 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0719 A-37273673 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0720 A-37430213 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0721 A-37561455 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0722 A-37660827 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0723 A-37968755 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0745 A-37079296 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0724 A-36819262 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0725 A-37627194 DoS High 7.0, 7.1.1, 7.1.2 CVE-2017-0726 A-36389123 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0727 A-33004354 EoP High 7.0, 7.1.1, 7.1.2 CVE-2017-0728 A-37469795 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0729 A-37710346 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0730 A-36279112 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0731 A-36075363 EoP High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0732 A-37504237 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0733 A-38391487 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0734 A-38014992 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0735 A-38239864 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0736 A-38487564 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0737 A-37563942 EoP High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0738 A-37563371 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2017-0739 A-37712181 ID Moderate 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 2017-08-05 security patch level - Vulnerability details CVE References Type Severity Component CVE-2017-0740 A-37168488* RCE Moderate Networking driver B-RB#116402 CVE References Type Severity Component CVE-2017-10661 A-36266767 EoP High File system Upstream kernel CVE-2017-0750 A-36817013* EoP Moderate File system CVE-2017-10662 A-36815012 EoP Moderate File system Upstream kernel CVE-2017-10663 A-36588520 EoP Moderate File System Upstream kernel CVE-2017-0749 A-36007735* EoP Moderate Linux kernel CVE References Type Severity Component CVE-2017-0741 A-32458601* EoP High GPU driver M-ALPS03007523 CVE-2017-0742 A-36074857* EoP Moderate Video driver M-ALPS03275524 CVE References Type Severity Component CVE-2017-0746 A-35467471* EoP Moderate IPA driver QC-CR#2029392 CVE-2017-0747 A-32524214* EoP Moderate Proprietary Component QC-CR#2044821 CVE-2017-9678 A-35258962* EoP Moderate Video driver QC-CR#2028228 CVE-2017-9691 A-33842910* EoP Moderate MobiCore driver (Trustonic) QC-CR#1116560 CVE-2017-9684 A-35136547* EoP Moderate USB driver QC-CR#2037524 CVE-2017-9682 A-36491445* ID Moderate GPU driver QC-CR#2030434 Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available " [1] MITIGATION Google advises it has released over-the-air (OTA) updates for Nexus and Pixel devices,and partner updates have been released to the Android Open Source Project (AOSP). Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Android Security Bulletin - August 2017 https://source.android.com/security/bulletin/2017-08-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWYkmIYx+lLeg9Ub1AQiIHhAAg1T9kMA3wQ6ZqtR74cPmcWk2zN+jIZGj HoR8UNy0AhFAQWDqKQRgGKBVWmObM0EeEKxlQaNNQVmZm/q8PWSfGAzua5UriJgB VYXb5tnFFbf6H6Qy5jHsfyhUTMiLXhd1eF+Uefd9gou3v4W6ZJpZxbeORPdcyMNd 6lX9U9rWRInYnlICIXlFWNWUNy0pbtMQD9QgTXKQ4RUn0ePOuuEtXuKDz/MudcKX gBXtnRvqJ4e3rY3j5QraKKRZ0x72lvB0dua6eiGrVVD4VyMF0bBSoetU73vgPdip zY17JoF3q602pq+NQVmecyTzUZq0ZjkNnAGMH1p3a+4VNxIaAiXhGPcPOzrgwaTK Io7OV/1uhjkKaqP/XN2SuINqTV+U4Q92vAAJmWDGH/hWMWlKyC6F9c7lJwJ+S35b UKug9qtsrbR7JgVUp9YsGkKxrvswRv//nV68O0z0/JIiTl/DmAoD5j0yifFaGZLJ mVi9mzmFF8Ipqw+3UIzfF/XNXG5vdQEpYtFRMwJmuav7fdj2G/XXqvhYGrxMFUMz ZHoGK5B4ZDIj2/ZWUeet5KRgnSkK7Ef7QXLcnsu3+yXE82E6H52iShe83AQ4vR/A Qq8930lxHAIb2isbYWF18QzhBFcA8NV5o7Luz+GuplJ4r+LjZDyB2cglJFvro/hS 60spWRq2s90= =LOIo -----END PGP SIGNATURE-----