Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2020.0002
Android security update for January 2020
7 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Android
Operating System: Android
Impact/Access: Administrator Compromise -- Existing Account
Increased Privileges -- Existing Account
Execute Arbitrary Code/Commands -- Console/Physical
Access Confidential Data -- Existing Account
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2020-0009 CVE-2020-0008 CVE-2020-0007
CVE-2020-0006 CVE-2020-0004 CVE-2020-0003
CVE-2020-0002 CVE-2020-0001 CVE-2019-17666
CVE-2019-15214 CVE-2019-14036 CVE-2019-14034
CVE-2019-14024 CVE-2019-14023 CVE-2019-14017
CVE-2019-14016 CVE-2019-14014 CVE-2019-14013
CVE-2019-14010 CVE-2019-14008 CVE-2019-14006
CVE-2019-14005 CVE-2019-14004 CVE-2019-14003
CVE-2019-14002 CVE-2019-10611 CVE-2019-10606
CVE-2019-10602 CVE-2019-10585 CVE-2019-10583
CVE-2019-10582 CVE-2019-10581 CVE-2019-10579
CVE-2019-10578 CVE-2019-10558 CVE-2019-10548
CVE-2019-10532 CVE-2019-2267 CVE-2018-20856
CVE-2018-11843
Member content until: Thursday, February 6 2020
Reference: ESB-2019.4676
ESB-2019.3846
ESB-2019.3084
OVERVIEW
Android patch level 2020-01-05 has been released,
including fixes for multiple critical vulnerabilities. [1]
IMPACT
Google has provided the following information on the vulnerabilities
fixed in this patch level:
"Framework
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2020-0001 A-140055304 EoP Moderate 10
EoP High 8.0, 8.1, 9
CVE-2020-0003 A-140195904 EoP High 8.0
CVE-2020-0004 A-120847476 DoS High 8.0, 8.1, 9, 10
Media framework
The vulnerability in this section could enable a remote attacker using a
specially crafted file to execute arbitrary code within the context of a
privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2020-0002 A-142602711 RCE Moderate 10
RCE Critical 8.0, 8.1, 9
System
The most severe vulnerability in this section could lead to remote information
disclosure with no additional execution privileges needed.
CVE References Type Severity Updated AOSP versions
CVE-2020-0006 A-139738828 ID High 8.0, 8.1, 9, 10
CVE-2020-0007 A-141890807 ID High 8.0, 8.1, 9, 10
CVE-2020-0008 A-142558228 ID High 8.0, 8.1, 9, 10
Google Play system updates
The following issue is included in Project Mainline components.
Component CVE
Media codecs CVE-2020-0002
2020-01-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2020-01-05 patch level. Vulnerabilities are
grouped under the component they affect and include details such as the CVE,
associated references, type of vulnerability , severity , component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
Kernel components
The most severe vulnerability in this section could enable a proximate attacker
using a specially crafted transmission to execute arbitrary code within the
context of a privileged process.
CVE References Type Severity Component
CVE-2019-17666 A-142967706 RCE Critical Realtek rtlwifi driver
Upstream kernel
CVE-2018-20856 A-138921316 EoP High Kernel
Upstream kernel
CVE-2019-15214 A-140920734 EoP High Sound subsystem
Upstream kernel
CVE-2020-0009 A-142938932 * EoP High ashmem
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2018-11843 A-111126051 N/A High WLAN host
QC-CR#2216751
CVE-2019-10558 A-142268223 N/A High Kernel
QC-CR#2355428
CVE-2019-10581 A-142267478 N/A High Audio
QC-CR#2451619
CVE-2019-10585 A-142267685 N/A High Kernel
QC-CR#2457975
CVE-2019-10602 A-142270161 N/A High Display
QC-CR#2165926 [ 2 ]
CVE-2019-10606 A-142269492 N/A High Kernel
QC-CR#2192810 [ 2 ]
CVE-2019-14010 A-142269847 N/A High Audio
QC-CR#2465851 [ 2 ]
CVE-2019-14023 A-142270139 N/A High Kernel
QC-CR#2493328
CVE-2019-14024 A-142269993 N/A High NFC
QC-CR#2494103
CVE-2019-14034 A-142270258 N/A High Camera
QC-CR#2491649 [ 2 ] [ 3 ]
CVE-2019-14036 A-142269832 N/A High WLAN host
QC-CR#2200862
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.
CVE References Type Severity Component
CVE-2019-2267 A-132108182 * N/A High Closed-source component
CVE-2019-10548 A-137030896 * N/A High Closed-source component
CVE-2019-10532 A-142271634 * N/A High Closed-source component
CVE-2019-10578 A-142268949 * N/A High Closed-source component
CVE-2019-10579 A-142271692 * N/A High Closed-source component
CVE-2019-10582 A-130574302 * N/A High Closed-source component
CVE-2019-10583 A-131180394 * N/A High Closed-source component
CVE-2019-10611 A-142271615 * N/A High Closed-source component
CVE-2019-14002 A-142271274 * N/A High Closed-source component
CVE-2019-14003 A-142271498 * N/A High Closed-source component
CVE-2019-14004 A-142271848 * N/A High Closed-source component
CVE-2019-14005 A-142271965 * N/A High Closed-source component
CVE-2019-14006 A-142271827 * N/A High Closed-source component
CVE-2019-14008 A-142271609 * N/A High Closed-source component
CVE-2019-14013 A-142271944 * N/A High Closed-source component
CVE-2019-14014 A-142270349 * N/A High Closed-source component
CVE-2019-14016 A-142270646 * N/A High Closed-source component
CVE-2019-14017 A-142271515 * N/A High Closed-source component"
[1]
MITIGATION
Google advises updating Android devices to the 2020-01-05
patch level or later to address these vulnerabilities.
Please check with your device manufacturer for an estimation
of when they'll release a version of the OS at this patch level. [1]
REFERENCES
[1] Android Security Bulletin - January 2020
https://source.android.com/security/bulletin/2020-01-01.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXhQcLmaOgq3Tt24GAQjSxRAAsHq+dlAKmnGLarZlYgJejtWccbEInt/+
KxD3m5m4GecxwLXMa3BuHnkAFZ0Qqo2mfHDAWMKcwaPm464MRd755HR4Fizc534E
VZBzua5Lu5JB3Lp4nCM/q3gRa5sQMchLSu7BEEzEK0vzxTGwyCDyip//cZ0Hr2R4
GOZFX/HS48dVOY1s57kv2KkMiD0OkIoKyTt8egGd8RiE7/YhdGw1Arc6pX028oFN
+RpnR8WOpVr+ULWQYgliBXeQf5/Z11kvQ9E6E4ooj662LfP/Ync3eFWMCTcWlTsI
pUPgS0mZrIleCsgTBQlf0O8TbZbJNQfK6Gej9xlacxUgoBS1DkSjVq9iMGzSivxW
2fXPz55YlDxcBfywG9/iks/n/hnFao+4q64GF53d4xbIc/MeGbhyG9JMtrx+QCoE
oQ9wVKgOdEK6ZBMB2g9LhRlGKm0l3fupAf3INRLIUyI9FK74Yi4m/9EFYmUb+GYD
y8b5uW5jk1homVWi+c3278SJfOjmangyxkeVQ66Uok/493zLzXxEXJWEryAg6FPn
RGjwjGgc8ROdPfWh2/uaSjyu0OX2KS/SL1OC4vWYaj5Fi3SbVBCOtzm5weuPAytD
Hs2fOAJhj1nHVsQG0iN2ykWRmCHx/NLKfIOUrqS7wDKQLtMqCzgjuZ8yPyhdk+af
6XT1eIdmA/c=
=Qhkb
-----END PGP SIGNATURE-----