Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0342
Android security update for December 2019
3 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Android
Operating System: Android
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-15239 CVE-2019-15220 CVE-2019-10607
CVE-2019-10605 CVE-2019-10601 CVE-2019-10600
CVE-2019-10598 CVE-2019-10595 CVE-2019-10557
CVE-2019-10537 CVE-2019-10536 CVE-2019-10525
CVE-2019-10517 CVE-2019-10516 CVE-2019-10513
CVE-2019-10500 CVE-2019-10487 CVE-2019-10482
CVE-2019-10481 CVE-2019-10480 CVE-2019-9464
CVE-2019-2304 CVE-2019-2274 CVE-2019-2242
CVE-2019-2232 CVE-2019-2231 CVE-2019-2230
CVE-2019-2229 CVE-2019-2228 CVE-2019-2227
CVE-2019-2226 CVE-2019-2225 CVE-2019-2224
CVE-2019-2223 CVE-2019-2222 CVE-2019-2221
CVE-2019-2220 CVE-2019-2219 CVE-2019-2218
CVE-2019-2217 CVE-2018-20961 CVE-2018-11980
Member content until: Thursday, January 2 2020
Reference: ASB-2019.0273
ESB-2019.4252
ESB-2019.3258
OVERVIEW
Google have released two security updates for Android,
patch level 2019-12-01 and 2019-12-05. [1]
As for why there are two simultanenous patch levels,
Google provides the following explanation:
"This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level." [1]
IMPACT
For patch level 2019-12-01:
"Framework
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted message to cause a permanent denial of service.
CVE References Type Severity Updated AOSP versions
CVE-2019-2232 A-140632678 DoS Critical 8.0, 8.1, 9, 10
CVE-2019-9464 A-141028068 EoP High 10
CVE-2019-2217 A-141003796 EoP High 10
CVE-2019-2218 A-141169173 EoP High 10
CVE-2019-2220 A-138636979 ID High 9, 10
CVE-2019-2221 A-138583650 EoP Moderate 10
Media framework
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2019-2222 A-140322595 RCE Moderate 10
RCE Critical 8.0, 8.1, 9
CVE-2019-2223 A-140692129 RCE Moderate 10
RCE Critical 8.0, 8.1, 9
System
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
an unprivileged process.
CVE References Type Severity Updated AOSP versions
CVE-2019-2224 A-140328986 RCE High 8.0, 8.1, 9, 10
CVE-2019-2225 A-110433804 EoP High 8.0, 8.1, 9, 10
CVE-2019-2226 A-140152619 ID High 8.0, 8.1, 9, 10
CVE-2019-2227 A-140768453 ID High 9, 10
CVE-2019-2228 A-111210196 ID High 8.0, 8.1, 9, 10
CVE-2019-2229 A-139803872 ID High 8.0, 8.1, 9, 10
CVE-2019-2230 A-141170038 ID High 10
Google Play system updates
These security issues are included in Google Play system updates.
Component CVEs
Media Codecs CVE-2019-2222, CVE-2019-2223" [1]
For patch level 2019-12-05:
"Framework
The vulnerability in this section could enable a local malicious application to
bypass operating system protections that isolate sensor data from other
applications.
CVE References Type Severity Updated AOSP versions
CVE-2019-2219 A-119041698 ID High 9, 10
System
The vulnerability in this section could enable a local attacker with privileged
access to gain access to sensitive data.
CVE References Type Severity Updated AOSP versions
CVE-2019-2231 A-141955555 ID High 9, 10
Kernel components
The most severe vulnerability in this section could enable a local malicious
application to execute arbitrary code within the context of a privileged
process.
CVE References Type Severity Component
CVE-2018-20961 A-139522588 EoP High USB MIDI class function driver
Upstream kernel
CVE-2019-15220 A-140329469 EoP High Prism54 WiFi USB Driver
Upstream kernel
CVE-2019-15239 A-140328996 EoP High TCP Stack
Upstream kernel
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
A-78657016
CVE-2019-10557 QC-CR#2255369 N/A High WLAN host
QC-CR#2259707
CVE-2018-11980 A-140423440 N/A High WLAN host
QC-CR#2270117
CVE-2019-10480 A-140423811 N/A High WLAN host
QC-CR#2309399
A-140423794
CVE-2019-10481 QC-CR#2304610 N/A High WLAN host
QC-CR#2318632
CVE-2019-10536 A-140423334 N/A High WLAN host
QC-CR#2433802
CVE-2019-10537 A-140423693 N/A High WLAN host
QC-CR#2436502
CVE-2019-10595 A-140423810 N/A High WLAN host
QC-CR#2148184
CVE-2019-10598 A-140423155 N/A High WLAN host
QC-CR#2324139
CVE-2019-10601 A-140423156 N/A High WLAN host
QC-CR#2428798
CVE-2019-10605 A-140424124 N/A High WLAN host
QC-CR#2187441
CVE-2019-10607 A-140423690 N/A High Security
QC-CR#2211711
A-123238115
QC-CR#2331868
CVE-2019-2304 QC-CR#2335530 N/A High WLAN host
QC-CR#2348299
QC-CR#2203904 *
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.
CVE References Type Severity Component
CVE-2019-2242 A-123998200 * N/A Critical Closed-source component
CVE-2019-10500 A-134437248 * N/A Critical Closed-source component
CVE-2019-10525 A-134437319 * N/A Critical Closed-source component
CVE-2019-10482 A-132108950 * N/A High Closed-source component
CVE-2019-10487 A-134437030 * N/A High Closed-source component
CVE-2019-10516 A-134437075 * N/A High Closed-source component
CVE-2019-2274 A-134437362 * N/A High Closed-source component
CVE-2019-10513 A-134437225 * N/A High Closed-source component
CVE-2019-10517 A-140424724 * N/A High Closed-source component
CVE-2019-10600 A-140424089 * N/A High Closed-source component" [1]
MITIGATION
Google advises updating to the latest version of Android available
for your device when your vendor makes it available. [1]
REFERENCES
[1] Android Security Bulletin - December 2019
https://source.android.com/security/bulletin/2019-12-01.html#2019-12-05-details
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXeWlOGaOgq3Tt24GAQiLJw/8DWHkKdhjfUtZpOVwMOgWxgN7CBryKV72
+4OBVybwd8vjD2pa+GUUoS0YYwaRzv0HkMz33iBWh73Ir7EUXECb3UmkFuwRjl+w
s8xZylbL88o/FavKdzTyWD3vpRESal7yv4YPBEy1U7EaKh93aHaRC+bTG7KU22gt
BvHGewZrt6jpr2lS48Rqj0Cjlts/vqqs5hU6qUaxd0BYwdS9sG+KVaXlk9F6M5pZ
nR9zRMUTWSjauTFh/Yk43JTCBN91dzvKyfaJn1M/+iZXQU/Egb0HWxuB6/cWsPdL
6OmMdUck4Ood2beSqCAlQBCEWDb+brmbmAGZvOT6Of+CCI/A2254uElqHbmlYd7d
2ALTZXAQGPT0tyHVG7AgBF6nXMJaMDKWluxn7Arvr5WCi69fDtJl1O6ZPsYkSf/6
xxG4+dkntKXte4iOCpFVXcixIONy2FhfFUwYTK8xaTsq7GSvk8lPFuLTmO/oH0eh
Xxr+aasK5VKtFH2ADnwOKFoUlWAzJZrqy0Lr+Wn3lzoEJvcXjzkHpKBq30T6TE1M
XN7VjS3bia+kALB8EwWSEO0DbBl84aG6AgPEfdn/mGRa9Ca7ssGCUWpTWBHCELSC
hnzjFW+F9xMs/eBpKvdMMDQW3WUDRFc4uA+Cjj3hXR5QSpnn+IuXfBal3tR93tXs
nPKzj+iOAzo=
=SgjA
-----END PGP SIGNATURE-----