Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0156
Multiple vulnerabilities have been identified in Android
prior to security patch level string 2017-10-05
3 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Nexus devices
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-14496 CVE-2017-11053 CVE-2017-9714
CVE-2017-9683 CVE-2017-9075 CVE-2017-7374
CVE-2017-0827 CVE-2017-0816 CVE-2017-0815
CVE-2017-0812 CVE-2017-0811 CVE-2017-0810
CVE-2017-0809 CVE-2017-0806
Member content until: Thursday, November 2 2017
Reference: ESB-2017.2379
ESB-2017.2278
ESB-2017.2233
ESB-2017.2214
ESB-2017.1890
OVERVIEW
Multiple vulnerabilities have been identified in Android prior to
security patch level strings 2017-10-01 and 2017-10-05. [1]
IMPACT
The vendor has provided the following information:
"2017-10-01 security patch level—Vulnerability details
Framework
CVE References Type Severity Updated AOSP versions
CVE-2017-0806 A-62998805 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
Media framework
CVE References Type Severity Updated AOSP versions
CVE-2017-0809 A-62673128 RCE Critical 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0810 A-38207066 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0811 A-37930177 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0812 A-62873231 EoP High 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0815 A-63526567 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0816 A-63662938 ID Moderate 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
System
CVE References Type Severity Updated AOSP versions
CVE-2017-14496 A-64575136 RCE High 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
2017-10-05 security patch level—Vulnerability details
Kernel components
CVE References Type Severity Component
CVE-2017-7374 A-37866910 EoP High Filesystem
Upstream kernel
CVE-2017-9075 A-62298712 EoP High Network subsystem
Upstream kernel
MediaTek components
CVE References Type Severity Component
CVE-2017-0827 A-62539960* EoP High SoC driver
M-ALPS03353876
M-ALPS03353861
M-ALPS03353869
M-ALPS03353867
M-ALPS03353872
Qualcomm components
CVE References Type Severity Component
CVE-2017-11053 A-36895857* RCE Critical SoC driver
QC-CR#2061544
CVE-2017-9714 A-63868020 EoP Critical Network subsystem
QC-CR#2046578
CVE-2017-9683 A-62379105 EoP High Linux boot
Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available
" [1]
MITIGATION
Google advises it has released over-the-air (OTA) updates for Nexus
and Pixel devices,and partner updates have been released to the
Android Open Source Project (AOSP). Android users are advised to
update to the latest versions to address these issues. [1]
REFERENCES
[1] Android Security Bulletin—October 2017
https://source.android.com/security/bulletin/2017-10-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWdMgqox+lLeg9Ub1AQiltA//cn/U5lh/lHGlpgff7aPcX+eD7ovg8jAW
x7MAQcmn4Z7SKhdXPY/M02cZw83AAgelJ+UTkDcri1EST3lKrvSW4/kM8iyDf2xd
TyRNYNK3DoXX/EFLHPWpDrYcp2Ta2ZHLcH9ETaaZPezgho6cbXv0w50X/Ytp1+0/
6bmJJgRr7fwz5p+2eEmOVMkNy2Ny8kdO4ha1KCFOzixMSJ4TonGNju9nf7uVtYAr
aZz6mPNVmLCWgnuoNFcsTpD/jvE503uBEARzOw8T6TczARoZL7De7Yeov1eAvI+1
bMhQ4LRenXzRq0BjKLph6cYU3V0eoEWcPLZR4JdEpmi7ldIe1OK57lchbtaj4bnL
uoym6MMjgs1LBZr9mB6WYclXa4zp8Ez3g8ZikyECEKCYlPmCPb7Fq6zWgQnytSNa
Q2KG3WyOFYTLFNYaMw/I4j572pZwChLXmxRqexE7pi/cxzI5oSS8wGOBrHBN9Sgg
PVekImdYcj3zf2xeTPpE20ubn2LM7uxconfRhIGcZl6TMbjp4j2ubhowFRoDKp1g
lsTV8WC+qbMV4t72ezVd4/4dKKtX1BwhZAUBAWoP0/2EXXdl5S8tiWq70nQqwfO6
mv0ptqeqXnkbKij9dypHJfKNvvC3KgDStSzNtZIfYtCBkQxQnJNHnlCVnR3241ei
IRTOOrs1YM8=
=F222
-----END PGP SIGNATURE-----