Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0190
Multiple vulnerabilities have been identified in Android
prior to security patch level string 2017-11-05
7 November 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Nexus devices
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-13088 CVE-2017-13087 CVE-2017-13086
CVE-2017-13082 CVE-2017-13081 CVE-2017-13080
CVE-2017-13079 CVE-2017-13078 CVE-2017-13077
CVE-2017-11092 CVE-2017-11028 CVE-2017-11017
CVE-2017-11015 CVE-2017-11014 CVE-2017-11013
CVE-2017-9690 CVE-2017-9077 CVE-2017-7541
CVE-2017-6264 CVE-2017-0843 CVE-2017-0842
CVE-2017-0841 CVE-2017-0840 CVE-2017-0839
CVE-2017-0836 CVE-2017-0835 CVE-2017-0834
CVE-2017-0833 CVE-2017-0832 CVE-2017-0831
CVE-2017-0830
Member content until: Thursday, December 7 2017
OVERVIEW
Multiple vulnerabilities have been identified in Android prior to
security patch level strings 2017-11-01 and 2017-11-05. [1]
IMPACT
The vendor has provided the following information:
"
2017-11-01 security patch level--Vulnerability details
Framework
CVE References Type Severity Updated AOSP versions
CVE-2017-0830 A-62623498 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0831 A-37442941 EoP High 8.0
Media framework
CVE References Type Severity Updated AOSP versions
CVE-2017-0832 A-62887820 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0833 A-62896384 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0834 A-63125953 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0835 A-63316832 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-0836 A-64893226 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-0839 A-64478003 ID High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-0840 A-62948670 ID High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
System
CVE References Type Severity Updated AOSP versions
CVE-2017-0841 A-37723026 RCE Critical 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-0842 A-37502513 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0
2017-11-05 security patch level--Vulnerability details
Kernel components
CVE References Type Severity Component
CVE-2017-9077 A-62265013 EoP High Networking subsystem
Upstream kernel
CVE-2017-7541 A-64258073 EoP High WLAN
Upstream kernel
MediaTek components
CVE References Type Severity Component
CVE-2017-0843 A-62670819* EoP High CCCI
M-ALPS03361488
NVIDIA components
CVE References Type Severity Component
CVE-2017-6264 A-34705430* EoP High GPU driver
N-CVE-2017-6264
Qualcomm components
CVE References Type Severity Component
CVE-2017-11013 A-64453535 RCE Critical WLAN
QC-CR#2058261 [2]
CVE-2017-11015 A-64438728 RCE Critical WLAN
QC-CR#2060959 [2]
CVE-2017-11014 A-64438727 RCE Critical WLAN
QC-CR#2060959
CVE-2017-11092 A-62949902* EoP High GPU driver
QC-CR#2077454
CVE-2017-9690 A-36575870* EoP High QBT1000 driver
QC-CR#2045285
CVE-2017-11017 A-64453575 EoP High Linux boot
QC-CR#2055629
CVE-2017-11028 A-64453533 ID High Camera
QC-CR#2008683 [2]
2017-11-06 security patch level--Vulnerability details
System
CVE References Type Severity Updated AOSP versions
CVE-2017-13077 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-13078 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-13079 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-13080 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-13081 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-13082 A-67737262 EoP High 7.0, 7.1.1, 7.1.2, 8.0
CVE-2017-13086 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-13087 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
CVE-2017-13088 A-67737262 EoP High 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1,
7.1.2, 8.0
Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available
" [1]
MITIGATION
Google advises it has released over-the-air (OTA) updates for Nexus
and Pixel devices, and partner updates have been released to the
Android Open Source Project (AOSP). Android users are advised to
update to the latest versions to address these issues. [1]
REFERENCES
[1] Android Security Bulletin October 2017
https://source.android.com/security/bulletin/2017-11-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWgFYL4x+lLeg9Ub1AQj9mQ/+JroTG6PIFwLOXkg4Ge+Bk7qzly08YlYv
aoEYEAXZVZnTxfRc2MCcbuRMrpUr9tWuS2Tku79rb+rN3aEGPYr7iV5TkMTqpJho
QlEy7n8QurRYh/JmSK3wR0cnnBRh+zYNr2FZRO8cssySig4Wt8El4w5LGLMFbVkS
Bo+5D9i+Aq81tTaXjDg4GypyEP0sle0syhEgpLxV55/MZJemCkG0/FKKArl7+v3R
ZCYcmeoc+j5ywfNk2tgSli5WW5F0UL7aUW5ipohhuXnPaPTIZ88Bpc+5Ahk9w/t6
xmqd8YFYI9yyFisxw74t45q5qASkEYgvs6nYESfaP42S6bYSjrg1Q42dW7e8OsFd
RXIVEh064CpCVObCVCZSVlm2scoJm0AsQzjskvwMMQIkk7KvjT2JUKwQKQ0uUuLK
NLSfdYKIpD9ANGd+sqolVTSPDxkGvuLGw6uEOIzTQJwnp0EhfpZCwy3gSsQd20ZG
juzE0zd0xdeTvDQCAlvSEE75UUVhjxbDB9Xd3QsFJyyPLJqIEhBbshVgEML0P0Jz
WDwsLCFirdh6RaBZTswvnGpKk+4iIxGEs5H5I1ghOBmvGmn8iBciar0u0ND4eaT+
qV6LMgmEkTMREnQjWMbxAGr3E8L5/rPYn6dxtdgdYA4TLKmH6aT7f7Kqw+pxz+Ba
r14W65Owl/4=
=Z2pZ
-----END PGP SIGNATURE-----