Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0342 Android security update for December 2019 3 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Android Operating System: Android Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-15239 CVE-2019-15220 CVE-2019-10607 CVE-2019-10605 CVE-2019-10601 CVE-2019-10600 CVE-2019-10598 CVE-2019-10595 CVE-2019-10557 CVE-2019-10537 CVE-2019-10536 CVE-2019-10525 CVE-2019-10517 CVE-2019-10516 CVE-2019-10513 CVE-2019-10500 CVE-2019-10487 CVE-2019-10482 CVE-2019-10481 CVE-2019-10480 CVE-2019-9464 CVE-2019-2304 CVE-2019-2274 CVE-2019-2242 CVE-2019-2232 CVE-2019-2231 CVE-2019-2230 CVE-2019-2229 CVE-2019-2228 CVE-2019-2227 CVE-2019-2226 CVE-2019-2225 CVE-2019-2224 CVE-2019-2223 CVE-2019-2222 CVE-2019-2221 CVE-2019-2220 CVE-2019-2219 CVE-2019-2218 CVE-2019-2217 CVE-2018-20961 CVE-2018-11980 Member content until: Thursday, January 2 2020 Reference: ASB-2019.0273 ESB-2019.4252 ESB-2019.3258 OVERVIEW Google have released two security updates for Android, patch level 2019-12-01 and 2019-12-05. [1] As for why there are two simultanenous patch levels, Google provides the following explanation: "This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level." [1] IMPACT For patch level 2019-12-01: "Framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted message to cause a permanent denial of service. CVE References Type Severity Updated AOSP versions CVE-2019-2232 A-140632678 DoS Critical 8.0, 8.1, 9, 10 CVE-2019-9464 A-141028068 EoP High 10 CVE-2019-2217 A-141003796 EoP High 10 CVE-2019-2218 A-141169173 EoP High 10 CVE-2019-2220 A-138636979 ID High 9, 10 CVE-2019-2221 A-138583650 EoP Moderate 10 Media framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2019-2222 A-140322595 RCE Moderate 10 RCE Critical 8.0, 8.1, 9 CVE-2019-2223 A-140692129 RCE Moderate 10 RCE Critical 8.0, 8.1, 9 System The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. CVE References Type Severity Updated AOSP versions CVE-2019-2224 A-140328986 RCE High 8.0, 8.1, 9, 10 CVE-2019-2225 A-110433804 EoP High 8.0, 8.1, 9, 10 CVE-2019-2226 A-140152619 ID High 8.0, 8.1, 9, 10 CVE-2019-2227 A-140768453 ID High 9, 10 CVE-2019-2228 A-111210196 ID High 8.0, 8.1, 9, 10 CVE-2019-2229 A-139803872 ID High 8.0, 8.1, 9, 10 CVE-2019-2230 A-141170038 ID High 10 Google Play system updates These security issues are included in Google Play system updates. Component CVEs Media Codecs CVE-2019-2222, CVE-2019-2223" [1] For patch level 2019-12-05: "Framework The vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate sensor data from other applications. CVE References Type Severity Updated AOSP versions CVE-2019-2219 A-119041698 ID High 9, 10 System The vulnerability in this section could enable a local attacker with privileged access to gain access to sensitive data. CVE References Type Severity Updated AOSP versions CVE-2019-2231 A-141955555 ID High 9, 10 Kernel components The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2018-20961 A-139522588 EoP High USB MIDI class function driver Upstream kernel CVE-2019-15220 A-140329469 EoP High Prism54 WiFi USB Driver Upstream kernel CVE-2019-15239 A-140328996 EoP High TCP Stack Upstream kernel Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component A-78657016 CVE-2019-10557 QC-CR#2255369 N/A High WLAN host QC-CR#2259707 CVE-2018-11980 A-140423440 N/A High WLAN host QC-CR#2270117 CVE-2019-10480 A-140423811 N/A High WLAN host QC-CR#2309399 A-140423794 CVE-2019-10481 QC-CR#2304610 N/A High WLAN host QC-CR#2318632 CVE-2019-10536 A-140423334 N/A High WLAN host QC-CR#2433802 CVE-2019-10537 A-140423693 N/A High WLAN host QC-CR#2436502 CVE-2019-10595 A-140423810 N/A High WLAN host QC-CR#2148184 CVE-2019-10598 A-140423155 N/A High WLAN host QC-CR#2324139 CVE-2019-10601 A-140423156 N/A High WLAN host QC-CR#2428798 CVE-2019-10605 A-140424124 N/A High WLAN host QC-CR#2187441 CVE-2019-10607 A-140423690 N/A High Security QC-CR#2211711 A-123238115 QC-CR#2331868 CVE-2019-2304 QC-CR#2335530 N/A High WLAN host QC-CR#2348299 QC-CR#2203904 * Qualcomm closed-source components These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-2242 A-123998200 * N/A Critical Closed-source component CVE-2019-10500 A-134437248 * N/A Critical Closed-source component CVE-2019-10525 A-134437319 * N/A Critical Closed-source component CVE-2019-10482 A-132108950 * N/A High Closed-source component CVE-2019-10487 A-134437030 * N/A High Closed-source component CVE-2019-10516 A-134437075 * N/A High Closed-source component CVE-2019-2274 A-134437362 * N/A High Closed-source component CVE-2019-10513 A-134437225 * N/A High Closed-source component CVE-2019-10517 A-140424724 * N/A High Closed-source component CVE-2019-10600 A-140424089 * N/A High Closed-source component" [1] MITIGATION Google advises updating to the latest version of Android available for your device when your vendor makes it available. [1] REFERENCES [1] Android Security Bulletin - December 2019 https://source.android.com/security/bulletin/2019-12-01.html#2019-12-05-details AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXeWlOGaOgq3Tt24GAQiLJw/8DWHkKdhjfUtZpOVwMOgWxgN7CBryKV72 +4OBVybwd8vjD2pa+GUUoS0YYwaRzv0HkMz33iBWh73Ir7EUXECb3UmkFuwRjl+w s8xZylbL88o/FavKdzTyWD3vpRESal7yv4YPBEy1U7EaKh93aHaRC+bTG7KU22gt BvHGewZrt6jpr2lS48Rqj0Cjlts/vqqs5hU6qUaxd0BYwdS9sG+KVaXlk9F6M5pZ nR9zRMUTWSjauTFh/Yk43JTCBN91dzvKyfaJn1M/+iZXQU/Egb0HWxuB6/cWsPdL 6OmMdUck4Ood2beSqCAlQBCEWDb+brmbmAGZvOT6Of+CCI/A2254uElqHbmlYd7d 2ALTZXAQGPT0tyHVG7AgBF6nXMJaMDKWluxn7Arvr5WCi69fDtJl1O6ZPsYkSf/6 xxG4+dkntKXte4iOCpFVXcixIONy2FhfFUwYTK8xaTsq7GSvk8lPFuLTmO/oH0eh Xxr+aasK5VKtFH2ADnwOKFoUlWAzJZrqy0Lr+Wn3lzoEJvcXjzkHpKBq30T6TE1M XN7VjS3bia+kALB8EwWSEO0DbBl84aG6AgPEfdn/mGRa9Ca7ssGCUWpTWBHCELSC hnzjFW+F9xMs/eBpKvdMMDQW3WUDRFc4uA+Cjj3hXR5QSpnn+IuXfBal3tR93tXs nPKzj+iOAzo= =SgjA -----END PGP SIGNATURE-----