Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0190 Multiple vulnerabilities have been identified in Android prior to security patch level string 2017-11-05 7 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Nexus devices Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13088 CVE-2017-13087 CVE-2017-13086 CVE-2017-13082 CVE-2017-13081 CVE-2017-13080 CVE-2017-13079 CVE-2017-13078 CVE-2017-13077 CVE-2017-11092 CVE-2017-11028 CVE-2017-11017 CVE-2017-11015 CVE-2017-11014 CVE-2017-11013 CVE-2017-9690 CVE-2017-9077 CVE-2017-7541 CVE-2017-6264 CVE-2017-0843 CVE-2017-0842 CVE-2017-0841 CVE-2017-0840 CVE-2017-0839 CVE-2017-0836 CVE-2017-0835 CVE-2017-0834 CVE-2017-0833 CVE-2017-0832 CVE-2017-0831 CVE-2017-0830 Member content until: Thursday, December 7 2017 OVERVIEW Multiple vulnerabilities have been identified in Android prior to security patch level strings 2017-11-01 and 2017-11-05. [1] IMPACT The vendor has provided the following information: " 2017-11-01 security patch level--Vulnerability details Framework CVE References Type Severity Updated AOSP versions CVE-2017-0830 A-62623498 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0831 A-37442941 EoP High 8.0 Media framework CVE References Type Severity Updated AOSP versions CVE-2017-0832 A-62887820 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0833 A-62896384 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0834 A-63125953 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0835 A-63316832 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0836 A-64893226 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0839 A-64478003 ID High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0840 A-62948670 ID High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 System CVE References Type Severity Updated AOSP versions CVE-2017-0841 A-37723026 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-0842 A-37502513 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 2017-11-05 security patch level--Vulnerability details Kernel components CVE References Type Severity Component CVE-2017-9077 A-62265013 EoP High Networking subsystem Upstream kernel CVE-2017-7541 A-64258073 EoP High WLAN Upstream kernel MediaTek components CVE References Type Severity Component CVE-2017-0843 A-62670819* EoP High CCCI M-ALPS03361488 NVIDIA components CVE References Type Severity Component CVE-2017-6264 A-34705430* EoP High GPU driver N-CVE-2017-6264 Qualcomm components CVE References Type Severity Component CVE-2017-11013 A-64453535 RCE Critical WLAN QC-CR#2058261 [2] CVE-2017-11015 A-64438728 RCE Critical WLAN QC-CR#2060959 [2] CVE-2017-11014 A-64438727 RCE Critical WLAN QC-CR#2060959 CVE-2017-11092 A-62949902* EoP High GPU driver QC-CR#2077454 CVE-2017-9690 A-36575870* EoP High QBT1000 driver QC-CR#2045285 CVE-2017-11017 A-64453575 EoP High Linux boot QC-CR#2055629 CVE-2017-11028 A-64453533 ID High Camera QC-CR#2008683 [2] 2017-11-06 security patch level--Vulnerability details System CVE References Type Severity Updated AOSP versions CVE-2017-13077 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13078 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13079 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13080 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13081 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13082 A-67737262 EoP High 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13086 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13087 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 CVE-2017-13088 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 Abbreviation Definition RCE Remote code execution EoP Elevation of privilege ID Information disclosure DoS Denial of service N/A Classification not available " [1] MITIGATION Google advises it has released over-the-air (OTA) updates for Nexus and Pixel devices, and partner updates have been released to the Android Open Source Project (AOSP). Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Android Security Bulletin October 2017 https://source.android.com/security/bulletin/2017-11-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWgFYL4x+lLeg9Ub1AQj9mQ/+JroTG6PIFwLOXkg4Ge+Bk7qzly08YlYv aoEYEAXZVZnTxfRc2MCcbuRMrpUr9tWuS2Tku79rb+rN3aEGPYr7iV5TkMTqpJho QlEy7n8QurRYh/JmSK3wR0cnnBRh+zYNr2FZRO8cssySig4Wt8El4w5LGLMFbVkS Bo+5D9i+Aq81tTaXjDg4GypyEP0sle0syhEgpLxV55/MZJemCkG0/FKKArl7+v3R ZCYcmeoc+j5ywfNk2tgSli5WW5F0UL7aUW5ipohhuXnPaPTIZ88Bpc+5Ahk9w/t6 xmqd8YFYI9yyFisxw74t45q5qASkEYgvs6nYESfaP42S6bYSjrg1Q42dW7e8OsFd RXIVEh064CpCVObCVCZSVlm2scoJm0AsQzjskvwMMQIkk7KvjT2JUKwQKQ0uUuLK NLSfdYKIpD9ANGd+sqolVTSPDxkGvuLGw6uEOIzTQJwnp0EhfpZCwy3gSsQd20ZG juzE0zd0xdeTvDQCAlvSEE75UUVhjxbDB9Xd3QsFJyyPLJqIEhBbshVgEML0P0Jz WDwsLCFirdh6RaBZTswvnGpKk+4iIxGEs5H5I1ghOBmvGmn8iBciar0u0ND4eaT+ qV6LMgmEkTMREnQjWMbxAGr3E8L5/rPYn6dxtdgdYA4TLKmH6aT7f7Kqw+pxz+Ba r14W65Owl/4= =Z2pZ -----END PGP SIGNATURE-----