Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0127
Multiple vulnerabilities have been identified in Android
prior to security patch level string 2017-06-05.
8 August 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Nexus devices
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-10663 CVE-2017-10662 CVE-2017-10661
CVE-2017-9691 CVE-2017-9684 CVE-2017-9682
CVE-2017-9678 CVE-2017-0750 CVE-2017-0749
CVE-2017-0747 CVE-2017-0746 CVE-2017-0745
CVE-2017-0742 CVE-2017-0741 CVE-2017-0740
CVE-2017-0739 CVE-2017-0738 CVE-2017-0737
CVE-2017-0736 CVE-2017-0735 CVE-2017-0734
CVE-2017-0733 CVE-2017-0732 CVE-2017-0731
CVE-2017-0730 CVE-2017-0729 CVE-2017-0728
CVE-2017-0727 CVE-2017-0726 CVE-2017-0725
CVE-2017-0724 CVE-2017-0723 CVE-2017-0722
CVE-2017-0721 CVE-2017-0720 CVE-2017-0719
CVE-2017-0718 CVE-2017-0716 CVE-2017-0715
CVE-2017-0714 CVE-2017-0713 CVE-2017-0712
Member content until: Thursday, September 7 2017
OVERVIEW
Multiple vulnerabilities have been identified in Android prior to
security patch level strings 2017-08-01 and 2017-08-05. [1]
IMPACT
The vendor has provided the following information:
"
2017-08-01 security patch level - Vulnerability details
CVE References Type Severity Updated AOSP versions
CVE-2017-0712 A-37207928 EoP Moderate 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE References Type Severity Updated AOSP versions
CVE-2017-0713 A-32096780 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE References Type Severity Updated AOSP versions
CVE-2017-0714 A-36492637 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0715 A-36998372 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0716 A-37203196 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0718 A-37273547 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0719 A-37273673 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0720 A-37430213 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0721 A-37561455 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0722 A-37660827 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0723 A-37968755 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0745 A-37079296 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0724 A-36819262 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0725 A-37627194 DoS High 7.0, 7.1.1, 7.1.2
CVE-2017-0726 A-36389123 DoS High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0727 A-33004354 EoP High 7.0, 7.1.1, 7.1.2
CVE-2017-0728 A-37469795 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0729 A-37710346 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0730 A-36279112 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0731 A-36075363 EoP High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0732 A-37504237 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0733 A-38391487 DoS High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0734 A-38014992 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0735 A-38239864 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0736 A-38487564 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0737 A-37563942 EoP High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0738 A-37563371 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2017-0739 A-37712181 ID Moderate 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
2017-08-05 security patch level - Vulnerability details
CVE References Type Severity Component
CVE-2017-0740 A-37168488* RCE Moderate Networking driver
B-RB#116402
CVE References Type Severity Component
CVE-2017-10661 A-36266767 EoP High File system
Upstream kernel
CVE-2017-0750 A-36817013* EoP Moderate File system
CVE-2017-10662 A-36815012 EoP Moderate File system
Upstream kernel
CVE-2017-10663 A-36588520 EoP Moderate File System
Upstream kernel
CVE-2017-0749 A-36007735* EoP Moderate Linux kernel
CVE References Type Severity Component
CVE-2017-0741 A-32458601* EoP High GPU driver
M-ALPS03007523
CVE-2017-0742 A-36074857* EoP Moderate Video driver
M-ALPS03275524
CVE References Type Severity Component
CVE-2017-0746 A-35467471* EoP Moderate IPA driver
QC-CR#2029392
CVE-2017-0747 A-32524214* EoP Moderate Proprietary Component
QC-CR#2044821
CVE-2017-9678 A-35258962* EoP Moderate Video driver
QC-CR#2028228
CVE-2017-9691 A-33842910* EoP Moderate MobiCore driver (Trustonic)
QC-CR#1116560
CVE-2017-9684 A-35136547* EoP Moderate USB driver
QC-CR#2037524
CVE-2017-9682 A-36491445* ID Moderate GPU driver
QC-CR#2030434
Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available
" [1]
MITIGATION
Google advises it has released over-the-air (OTA) updates for Nexus and
Pixel devices,and partner updates have been released to the Android
Open Source Project (AOSP). Android users are advised to update to the
latest versions to address these issues. [1]
REFERENCES
[1] Android Security Bulletin - August 2017
https://source.android.com/security/bulletin/2017-08-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWYkmIYx+lLeg9Ub1AQiIHhAAg1T9kMA3wQ6ZqtR74cPmcWk2zN+jIZGj
HoR8UNy0AhFAQWDqKQRgGKBVWmObM0EeEKxlQaNNQVmZm/q8PWSfGAzua5UriJgB
VYXb5tnFFbf6H6Qy5jHsfyhUTMiLXhd1eF+Uefd9gou3v4W6ZJpZxbeORPdcyMNd
6lX9U9rWRInYnlICIXlFWNWUNy0pbtMQD9QgTXKQ4RUn0ePOuuEtXuKDz/MudcKX
gBXtnRvqJ4e3rY3j5QraKKRZ0x72lvB0dua6eiGrVVD4VyMF0bBSoetU73vgPdip
zY17JoF3q602pq+NQVmecyTzUZq0ZjkNnAGMH1p3a+4VNxIaAiXhGPcPOzrgwaTK
Io7OV/1uhjkKaqP/XN2SuINqTV+U4Q92vAAJmWDGH/hWMWlKyC6F9c7lJwJ+S35b
UKug9qtsrbR7JgVUp9YsGkKxrvswRv//nV68O0z0/JIiTl/DmAoD5j0yifFaGZLJ
mVi9mzmFF8Ipqw+3UIzfF/XNXG5vdQEpYtFRMwJmuav7fdj2G/XXqvhYGrxMFUMz
ZHoGK5B4ZDIj2/ZWUeet5KRgnSkK7Ef7QXLcnsu3+yXE82E6H52iShe83AQ4vR/A
Qq8930lxHAIb2isbYWF18QzhBFcA8NV5o7Luz+GuplJ4r+LjZDyB2cglJFvro/hS
60spWRq2s90=
=LOIo
-----END PGP SIGNATURE-----