Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0040 Android Security Bulletin - February 2018 6 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Android Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-17770 CVE-2017-17767 CVE-2017-17765 CVE-2017-17764 CVE-2017-17762 CVE-2017-17761 CVE-2017-17760 CVE-2017-15829 CVE-2017-15820 CVE-2017-15817 CVE-2017-15265 CVE-2017-14910 CVE-2017-14884 CVE-2017-13247 CVE-2017-13238 CVE-2017-13236 CVE-2017-13234 CVE-2017-13233 CVE-2017-13232 CVE-2017-13231 CVE-2017-13230 CVE-2017-13228 CVE-2017-11041 CVE-2017-6279 CVE-2017-6258 CVE-2015-9016 Member content until: Thursday, March 8 2018 OVERVIEW Multiple vulnerabilities have been identified in Android prior to security patch level strings 2018-02-01 and 2018-02-05. [1] IMPACT The vendor has provided the following information: " 2018-02-01 security patch level--Vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2018-02-01 patch level. Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Media framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. +----------------+------------+------+----------+------------------------------------------------+ | CVE | References | Type | Severity | Updated AOSP versions | +================+============+======+==========+================================================+ | CVE-2017-13228 | A-69478425 | RCE | Critical | 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 | +----------------+------------+------+----------+------------------------------------------------+ | CVE-2017-13231 | A-67962232 | EoP | High | 8.0, 8.1 | +----------------+------------+------+----------+------------------------------------------------+ | CVE-2017-13232 | A-68953950 | ID | High | 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 | +----------------+------------+------+----------+------------------------------------------------+ | CVE-2017-13230 | A-65483665 | DoS | High | 7.0, 7.1.1, 7.1.2, 8.0, 8.1 | | | +------+----------+------------------------------------------------+ | | | RCE | Critical | 5.1.1, 6.0, 6.0.1 | +----------------+------------+------+----------+------------------------------------------------+ | CVE-2017-13233 | A-62851602 | DoS | High | 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 | +----------------+------------+------+----------+------------------------------------------------+ | CVE-2017-13234 | A-68159767 | DoS | High | 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 | +----------------+------------+------+----------+------------------------------------------------+ System The most severe vulnerability in this section could enable a local malicious application to execute commands normally limited to privileged processes. +----------------+------------+------+----------+-----------------------+ | CVE | References | Type | Severity | Updated AOSP versions | +================+============+======+==========+=======================+ | CVE-2017-13236 | A-68217699 | EoP | Moderate | 8.0, 8.1 | +----------------+------------+------+----------+-----------------------+ In the sections below, we provide details for each of the security vulnerabilities that apply to the 2018-02-05 patch level. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. HTC components The most severe vulnerability in this section could enable a local malicious application to obtain unauthorized access to data. +----------------+-------------+------+----------+------------+ | CVE | References | Type | Severity | Component | +================+=============+======+==========+============+ | CVE-2017-13238 | A-64610940* | ID | High | Bootloader | +----------------+-------------+------+----------+------------+ | CVE-2017-13247 | A-71486645* | EoP | Moderate | Bootloader | +----------------+-------------+------+----------+------------+ Kernel components The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. +----------------+-----------------+------+----------+----------------------+ | CVE | References | Type | Severity | Component | +================+=================+======+==========+======================+ | CVE-2017-15265 | A-67900971 | EoP | High | ALSA | | | | | | | | | Upstream kernel | | | | +----------------+-----------------+------+----------+----------------------+ | CVE-2015-9016 | A-63083046 | EoP | High | Multi-queue block IO | | | | | | | | | Upstream kernel | | | | +----------------+-----------------+------+----------+----------------------+ | CVE-2017-17770 | A-65853158* | EoP | High | Kernel | +----------------+-----------------+------+----------+----------------------+ NVIDIA components The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. +---------------+-------------------------+------+----------+-----------------+ | CVE | References | Type | Severity | Component | +===============+=========================+======+==========+=================+ | CVE-2017-6279 | A-65023166* | EoP | High | Media framework | | | | | | | | | N-CVE-2017-6279 | | | | +---------------+-------------------------+------+----------+-----------------+ | CVE-2017-6258 | A-38027496* | EoP | High | Media framework | | | | | | | | | N-CVE-2017-6258 | | | | +---------------+-------------------------+------+----------+-----------------+ Qualcomm components The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. +----------------+-----------------------+------+----------+-----------------+ | CVE | References | Type | Severity | Component | +================+=======================+======+==========+=================+ | CVE-2017-15817 | A-68992394 | RCE | Critical | WLan | | | | | | | | | QC-CR#2076603 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-17760 | A-68992416 | RCE | Critical | WLan | | | QC-CR#2082544 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-11041 | A-35269676* | EoP | High | Media framework | | | | | | | | | QC-CR#2053101 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-17767 | A-64750179* | EoP | High | Media framework | | | | | | | | | QC-CR#2115779 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-17765 | A-68992445 | EoP | High | WLan | | | | | | | | | QC-CR#2115112 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-17762 | A-68992439 | EoP | High | WLan | | | | | | | | | QC-CR#2114426 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-14884 | A-68992429 | EoP | High | WLan | | | | | | | | | QC-CR#2113052 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-15829 | A-68992397 | EoP | High | Graphics_Linux | | | | | | | | | QC-CR#2097917 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-15820 | A-68992396 | EoP | High | Graphics_Linux | | | | | | | | | QC-CR#2093377 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-17764 | A-68992443 | EoP | High | WLan | | | | | | | | | QC-CR#2114789 | | | | +----------------+-----------------------+------+----------+-----------------+ | CVE-2017-17761 | A-68992434 | EoP | High | WLan | | | | | | | | | QC-CR#2114187 | | | | +----------------+-----------------------+------+----------+-----------------+ Qualcomm closed-source components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm AMSS security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. +----------------+-------------+------+----------+-------------------------+ | CVE | References | Type | Severity | Component | +================+=============+======+==========+=========================+ | CVE-2017-14910 | A-62212114* | N/A | High | Closed-source component | +----------------+-------------+------+----------+-------------------------+ " MITIGATION Google advises it has released over-the-air (OTA) updates for Nexus and Pixel devices, and partner updates have been released to the Android Open Source Project (AOSP). Android users are advised to update to the latest versions to address these issues. [1] REFERENCES [1] Android Security Bulletin - February 2018 https://source.android.com/security/bulletin/2018-02-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWnkn2Ix+lLeg9Ub1AQgI9BAAi8a7cVTeKYBrNtv+y6SEafFWpQHypg50 uCdn7sfQ+r+Ri/8c3WOz37JtNYaAXBIIx8rMDmnULlmcJ0puv8wPGS9QicUSJ6Ju U2Kc2yXtFZtoz5im6krfGhe3gldcnlrORII0Kcb7Lkg9JNgiSz7Etki6fxcRpSpY ndUrjIGWjlSJJif8sRWI/UoPHhf2kMPt/1zXWpfEiJqOc1NXHWubXKywC+frnTnP KntCZbODu6w6dcWDojQWkfIDNWYte7JCxUlAh37zHXTHT4gG/Uvhmc8y1+1QOwTK Z0a3QOFxapYmOJBbSZRuS7BJk1J1FdJ7HGiFUBkms5vt5k1KTpUl1PZoZc/lWfs4 Rc6TBlPFhrfv8aTq9feeqM1+vL2TCeSIMDYFTkvDRyE94e0XUbt44kVQGYYFzIGl U13sHg5nzM1mL/hr9dliwpP7mZEobdXBGLEjWVbOuYNuxDTIg/ryDazmx64v30JF UNHJgkLL7kAX+ovrG7cKtQC7PLINB52PjnM6cR9XlT8yRzYdm1VaH7Ar8um44wjl k/lYM3EpfHM/MECXUbxXOYd84x2cyyKJpShtlYfyEl5QA/iLPvnmCNwYM42WM94n pLaLKK4myjuvdlqxHnUYnnH/m1USFRQx9qU0aPH+0Tys7JQxEwTAYl5Dl75MOUwL pFbr8fJvdzY= =9ULb -----END PGP SIGNATURE-----