Operating System:

[Android]

Published:

03 October 2017

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0156
         Multiple vulnerabilities have been identified in Android
              prior to security patch level string 2017-10-05
                              3 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Nexus devices
Operating System:     Android
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-14496 CVE-2017-11053 CVE-2017-9714
                      CVE-2017-9683 CVE-2017-9075 CVE-2017-7374
                      CVE-2017-0827 CVE-2017-0816 CVE-2017-0815
                      CVE-2017-0812 CVE-2017-0811 CVE-2017-0810
                      CVE-2017-0809 CVE-2017-0806 
Member content until: Thursday, November  2 2017
Reference:            ESB-2017.2379
                      ESB-2017.2278
                      ESB-2017.2233
                      ESB-2017.2214
                      ESB-2017.1890

OVERVIEW

        Multiple vulnerabilities have been identified in Android prior to 
        security patch level strings 2017-10-01 and 2017-10-05. [1]


IMPACT

        The vendor has provided the following information:
        
        "2017-10-01 security patch level—Vulnerability details
        
        Framework
        CVE            References    Type    Severity    Updated AOSP versions
        CVE-2017-0806  A-62998805    EoP     High        6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
        
        Media framework
        CVE            References    Type    Severity    Updated AOSP versions
        CVE-2017-0809  A-62673128    RCE     Critical    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
        CVE-2017-0810  A-38207066    RCE     Critical    6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
        CVE-2017-0811  A-37930177    RCE     Critical    5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
        CVE-2017-0812  A-62873231    EoP     High        7.0, 7.1.1, 7.1.2, 8.0
        CVE-2017-0815  A-63526567    ID      Moderate    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
        CVE-2017-0816  A-63662938    ID      Moderate    4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
        
        System
        CVE             References    Type    Severity    Updated AOSP versions
        CVE-2017-14496  A-64575136    RCE     High        4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
        
        
        2017-10-05 security patch level—Vulnerability details
        
        Kernel components
        CVE            References       Type    Severity    Component
        CVE-2017-7374  A-37866910       EoP     High        Filesystem
                       Upstream kernel
        CVE-2017-9075  A-62298712       EoP     High        Network subsystem
                       Upstream kernel
        
        MediaTek components
        CVE             References      Type    Severity    Component
        CVE-2017-0827   A-62539960*     EoP     High        SoC driver
                        M-ALPS03353876
        		M-ALPS03353861
        		M-ALPS03353869
        		M-ALPS03353867
        		M-ALPS03353872
        
        Qualcomm components
        CVE             References     Type    Severity    Component
        CVE-2017-11053  A-36895857*    RCE     Critical    SoC driver
                        QC-CR#2061544
        CVE-2017-9714   A-63868020     EoP     Critical    Network subsystem
                        QC-CR#2046578
        CVE-2017-9683   A-62379105     EoP     High        Linux boot
        
        Abbreviation    Definition
        RCE             Remote code execution
        EoP             Elevation of privilege
        ID              Information disclosure
        DoS             Denial of service
        N/A             Classification not available
        " [1]


MITIGATION

        Google advises it has released over-the-air (OTA) updates for Nexus
        and Pixel devices,and partner updates have been released to the 
        Android Open Source Project (AOSP). Android users are advised to 
        update to the latest versions to address these issues. [1]


REFERENCES

        [1] Android Security Bulletin—October 2017
            https://source.android.com/security/bulletin/2017-10-01

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWdMgqox+lLeg9Ub1AQiltA//cn/U5lh/lHGlpgff7aPcX+eD7ovg8jAW
x7MAQcmn4Z7SKhdXPY/M02cZw83AAgelJ+UTkDcri1EST3lKrvSW4/kM8iyDf2xd
TyRNYNK3DoXX/EFLHPWpDrYcp2Ta2ZHLcH9ETaaZPezgho6cbXv0w50X/Ytp1+0/
6bmJJgRr7fwz5p+2eEmOVMkNy2Ny8kdO4ha1KCFOzixMSJ4TonGNju9nf7uVtYAr
aZz6mPNVmLCWgnuoNFcsTpD/jvE503uBEARzOw8T6TczARoZL7De7Yeov1eAvI+1
bMhQ4LRenXzRq0BjKLph6cYU3V0eoEWcPLZR4JdEpmi7ldIe1OK57lchbtaj4bnL
uoym6MMjgs1LBZr9mB6WYclXa4zp8Ez3g8ZikyECEKCYlPmCPb7Fq6zWgQnytSNa
Q2KG3WyOFYTLFNYaMw/I4j572pZwChLXmxRqexE7pi/cxzI5oSS8wGOBrHBN9Sgg
PVekImdYcj3zf2xeTPpE20ubn2LM7uxconfRhIGcZl6TMbjp4j2ubhowFRoDKp1g
lsTV8WC+qbMV4t72ezVd4/4dKKtX1BwhZAUBAWoP0/2EXXdl5S8tiWq70nQqwfO6
mv0ptqeqXnkbKij9dypHJfKNvvC3KgDStSzNtZIfYtCBkQxQnJNHnlCVnR3241ei
IRTOOrs1YM8=
=F222
-----END PGP SIGNATURE-----