Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0040
Android Security Bulletin - February 2018
6 February 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Android
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-17770 CVE-2017-17767 CVE-2017-17765
CVE-2017-17764 CVE-2017-17762 CVE-2017-17761
CVE-2017-17760 CVE-2017-15829 CVE-2017-15820
CVE-2017-15817 CVE-2017-15265 CVE-2017-14910
CVE-2017-14884 CVE-2017-13247 CVE-2017-13238
CVE-2017-13236 CVE-2017-13234 CVE-2017-13233
CVE-2017-13232 CVE-2017-13231 CVE-2017-13230
CVE-2017-13228 CVE-2017-11041 CVE-2017-6279
CVE-2017-6258 CVE-2015-9016
Member content until: Thursday, March 8 2018
OVERVIEW
Multiple vulnerabilities have been identified in Android prior to
security patch level strings 2018-02-01 and 2018-02-05. [1]
IMPACT
The vendor has provided the following information:
"
2018-02-01 security patch level--Vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2018-02-01 patch level. Vulnerabilities are
grouped under the component that they affect. There is a description of the
issue and a table with the CVE, associated references, type of vulnerability,
severity, and updated AOSP versions (where applicable). When available, we link
the public change that addressed the issue to the bug ID, like the AOSP change
list. When multiple changes relate to a single bug, additional references are
linked to numbers following the bug ID.
Media framework
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of a
privileged process.
+----------------+------------+------+----------+------------------------------------------------+
| CVE | References | Type | Severity | Updated AOSP versions |
+================+============+======+==========+================================================+
| CVE-2017-13228 | A-69478425 | RCE | Critical | 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 |
+----------------+------------+------+----------+------------------------------------------------+
| CVE-2017-13231 | A-67962232 | EoP | High | 8.0, 8.1 |
+----------------+------------+------+----------+------------------------------------------------+
| CVE-2017-13232 | A-68953950 | ID | High | 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 |
+----------------+------------+------+----------+------------------------------------------------+
| CVE-2017-13230 | A-65483665 | DoS | High | 7.0, 7.1.1, 7.1.2, 8.0, 8.1 |
| | +------+----------+------------------------------------------------+
| | | RCE | Critical | 5.1.1, 6.0, 6.0.1 |
+----------------+------------+------+----------+------------------------------------------------+
| CVE-2017-13233 | A-62851602 | DoS | High | 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 |
+----------------+------------+------+----------+------------------------------------------------+
| CVE-2017-13234 | A-68159767 | DoS | High | 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 |
+----------------+------------+------+----------+------------------------------------------------+
System
The most severe vulnerability in this section could enable a local malicious
application to execute commands normally limited to privileged processes.
+----------------+------------+------+----------+-----------------------+
| CVE | References | Type | Severity | Updated AOSP versions |
+================+============+======+==========+=======================+
| CVE-2017-13236 | A-68217699 | EoP | Moderate | 8.0, 8.1 |
+----------------+------------+------+----------+-----------------------+
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2018-02-05 patch level. Vulnerabilities are
grouped under the component that they affect and include details such as the
CVE, associated references, type of vulnerability, severity, component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional references
are linked to numbers following the bug ID.
HTC components
The most severe vulnerability in this section could enable a local malicious
application to obtain unauthorized access to data.
+----------------+-------------+------+----------+------------+
| CVE | References | Type | Severity | Component |
+================+=============+======+==========+============+
| CVE-2017-13238 | A-64610940* | ID | High | Bootloader |
+----------------+-------------+------+----------+------------+
| CVE-2017-13247 | A-71486645* | EoP | Moderate | Bootloader |
+----------------+-------------+------+----------+------------+
Kernel components
The most severe vulnerability in this section could enable a local malicious
application to execute arbitrary code within the context of a privileged
process.
+----------------+-----------------+------+----------+----------------------+
| CVE | References | Type | Severity | Component |
+================+=================+======+==========+======================+
| CVE-2017-15265 | A-67900971 | EoP | High | ALSA |
| | | | | |
| | Upstream kernel | | | |
+----------------+-----------------+------+----------+----------------------+
| CVE-2015-9016 | A-63083046 | EoP | High | Multi-queue block IO |
| | | | | |
| | Upstream kernel | | | |
+----------------+-----------------+------+----------+----------------------+
| CVE-2017-17770 | A-65853158* | EoP | High | Kernel |
+----------------+-----------------+------+----------+----------------------+
NVIDIA components
The most severe vulnerability in this section could enable a local malicious
application to execute arbitrary code within the context of a privileged
process.
+---------------+-------------------------+------+----------+-----------------+
| CVE | References | Type | Severity | Component |
+===============+=========================+======+==========+=================+
| CVE-2017-6279 | A-65023166* | EoP | High | Media framework |
| | | | | |
| | N-CVE-2017-6279 | | | |
+---------------+-------------------------+------+----------+-----------------+
| CVE-2017-6258 | A-38027496* | EoP | High | Media framework |
| | | | | |
| | N-CVE-2017-6258 | | | |
+---------------+-------------------------+------+----------+-----------------+
Qualcomm components
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of a
privileged process.
+----------------+-----------------------+------+----------+-----------------+
| CVE | References | Type | Severity | Component |
+================+=======================+======+==========+=================+
| CVE-2017-15817 | A-68992394 | RCE | Critical | WLan |
| | | | | |
| | QC-CR#2076603 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-17760 | A-68992416 | RCE | Critical | WLan |
| | QC-CR#2082544 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-11041 | A-35269676* | EoP | High | Media framework |
| | | | | |
| | QC-CR#2053101 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-17767 | A-64750179* | EoP | High | Media framework |
| | | | | |
| | QC-CR#2115779 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-17765 | A-68992445 | EoP | High | WLan |
| | | | | |
| | QC-CR#2115112 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-17762 | A-68992439 | EoP | High | WLan |
| | | | | |
| | QC-CR#2114426 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-14884 | A-68992429 | EoP | High | WLan |
| | | | | |
| | QC-CR#2113052 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-15829 | A-68992397 | EoP | High | Graphics_Linux |
| | | | | |
| | QC-CR#2097917 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-15820 | A-68992396 | EoP | High | Graphics_Linux |
| | | | | |
| | QC-CR#2093377 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-17764 | A-68992443 | EoP | High | WLan |
| | | | | |
| | QC-CR#2114789 | | | |
+----------------+-----------------------+------+----------+-----------------+
| CVE-2017-17761 | A-68992434 | EoP | High | WLan |
| | | | | |
| | QC-CR#2114187 | | | |
+----------------+-----------------------+------+----------+-----------------+
Qualcomm closed-source components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm AMSS security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
+----------------+-------------+------+----------+-------------------------+
| CVE | References | Type | Severity | Component |
+================+=============+======+==========+=========================+
| CVE-2017-14910 | A-62212114* | N/A | High | Closed-source component |
+----------------+-------------+------+----------+-------------------------+
"
MITIGATION
Google advises it has released over-the-air (OTA) updates for Nexus
and Pixel devices, and partner updates have been released to the
Android Open Source Project (AOSP). Android users are advised to
update to the latest versions to address these issues. [1]
REFERENCES
[1] Android Security Bulletin - February 2018
https://source.android.com/security/bulletin/2018-02-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWnkn2Ix+lLeg9Ub1AQgI9BAAi8a7cVTeKYBrNtv+y6SEafFWpQHypg50
uCdn7sfQ+r+Ri/8c3WOz37JtNYaAXBIIx8rMDmnULlmcJ0puv8wPGS9QicUSJ6Ju
U2Kc2yXtFZtoz5im6krfGhe3gldcnlrORII0Kcb7Lkg9JNgiSz7Etki6fxcRpSpY
ndUrjIGWjlSJJif8sRWI/UoPHhf2kMPt/1zXWpfEiJqOc1NXHWubXKywC+frnTnP
KntCZbODu6w6dcWDojQWkfIDNWYte7JCxUlAh37zHXTHT4gG/Uvhmc8y1+1QOwTK
Z0a3QOFxapYmOJBbSZRuS7BJk1J1FdJ7HGiFUBkms5vt5k1KTpUl1PZoZc/lWfs4
Rc6TBlPFhrfv8aTq9feeqM1+vL2TCeSIMDYFTkvDRyE94e0XUbt44kVQGYYFzIGl
U13sHg5nzM1mL/hr9dliwpP7mZEobdXBGLEjWVbOuYNuxDTIg/ryDazmx64v30JF
UNHJgkLL7kAX+ovrG7cKtQC7PLINB52PjnM6cR9XlT8yRzYdm1VaH7Ar8um44wjl
k/lYM3EpfHM/MECXUbxXOYd84x2cyyKJpShtlYfyEl5QA/iLPvnmCNwYM42WM94n
pLaLKK4myjuvdlqxHnUYnnH/m1USFRQx9qU0aPH+0Tys7JQxEwTAYl5Dl75MOUwL
pFbr8fJvdzY=
=9ULb
-----END PGP SIGNATURE-----