Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0156 Multiple vulnerabilities have been identified in Android prior to security patch level string 2017-10-05 3 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Nexus devices Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-14496 CVE-2017-11053 CVE-2017-9714 CVE-2017-9683 CVE-2017-9075 CVE-2017-7374 CVE-2017-0827 CVE-2017-0816 CVE-2017-0815 CVE-2017-0812 CVE-2017-0811 CVE-2017-0810 CVE-2017-0809 CVE-2017-0806 Member content until: Thursday, November 2 2017 Reference: ESB-2017.2379 ESB-2017.2278 ESB-2017.2233 ESB-2017.2214 ESB-2017.1890 OVERVIEW Multiple vulnerabilities have been identified in Android prior to security patch level strings 2017-10-01 and 2017-10-05. [1] IMPACT The vendor has provided the following information: "2017-10-01 security patch level—Vulnerability details Framework CVE References Type Severity Updated AOSP versions CVE-2017-0806 A-62998805 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 Media framework CVE References Type Severity Updated AOSP versions CVE-2017-0809 A-62673128 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0810 A-38207066 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0811 A-37930177 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0812 A-62873231 EoP High 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0815 A-63526567 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0816 A-63662938 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 System CVE References Type Severity Updated AOSP versions CVE-2017-14496 A-64575136 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 2017-10-05 security patch level—Vulnerability details Kernel components CVE References Type Severity Component CVE-2017-7374 A-37866910 EoP High Filesystem Upstream kernel CVE-2017-9075 A-62298712 EoP High Network subsystem Upstream kernel MediaTek components CVE References Type Severity Component CVE-2017-0827 A-62539960* EoP High SoC driver M-ALPS03353876 M-ALPS03353861 M-ALPS03353869 M-ALPS03353867 M-ALPS03353872 Qualcomm components CVE References Type Severity Component CVE-2017-11053 A-36895857* RCE Critical SoC driver QC-CR#2061544 CVE-2017-9714 A-63868020 EoP Critical Network subsystem QC-CR#2046578 CVE-2017-9683 A-62379105 EoP High Linux boot Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available " [1] MITIGATION Google advises it has released over-the-air (OTA) updates for Nexus and Pixel devices,and partner updates have been released to the Android Open Source Project (AOSP). Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Android Security Bulletin—October 2017 https://source.android.com/security/bulletin/2017-10-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWdMgqox+lLeg9Ub1AQiltA//cn/U5lh/lHGlpgff7aPcX+eD7ovg8jAW x7MAQcmn4Z7SKhdXPY/M02cZw83AAgelJ+UTkDcri1EST3lKrvSW4/kM8iyDf2xd TyRNYNK3DoXX/EFLHPWpDrYcp2Ta2ZHLcH9ETaaZPezgho6cbXv0w50X/Ytp1+0/ 6bmJJgRr7fwz5p+2eEmOVMkNy2Ny8kdO4ha1KCFOzixMSJ4TonGNju9nf7uVtYAr aZz6mPNVmLCWgnuoNFcsTpD/jvE503uBEARzOw8T6TczARoZL7De7Yeov1eAvI+1 bMhQ4LRenXzRq0BjKLph6cYU3V0eoEWcPLZR4JdEpmi7ldIe1OK57lchbtaj4bnL uoym6MMjgs1LBZr9mB6WYclXa4zp8Ez3g8ZikyECEKCYlPmCPb7Fq6zWgQnytSNa Q2KG3WyOFYTLFNYaMw/I4j572pZwChLXmxRqexE7pi/cxzI5oSS8wGOBrHBN9Sgg PVekImdYcj3zf2xeTPpE20ubn2LM7uxconfRhIGcZl6TMbjp4j2ubhowFRoDKp1g lsTV8WC+qbMV4t72ezVd4/4dKKtX1BwhZAUBAWoP0/2EXXdl5S8tiWq70nQqwfO6 mv0ptqeqXnkbKij9dypHJfKNvvC3KgDStSzNtZIfYtCBkQxQnJNHnlCVnR3241ei IRTOOrs1YM8= =F222 -----END PGP SIGNATURE-----