Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0002 Android security update for January 2020 7 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Android Operating System: Android Impact/Access: Administrator Compromise -- Existing Account Increased Privileges -- Existing Account Execute Arbitrary Code/Commands -- Console/Physical Access Confidential Data -- Existing Account Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-0009 CVE-2020-0008 CVE-2020-0007 CVE-2020-0006 CVE-2020-0004 CVE-2020-0003 CVE-2020-0002 CVE-2020-0001 CVE-2019-17666 CVE-2019-15214 CVE-2019-14036 CVE-2019-14034 CVE-2019-14024 CVE-2019-14023 CVE-2019-14017 CVE-2019-14016 CVE-2019-14014 CVE-2019-14013 CVE-2019-14010 CVE-2019-14008 CVE-2019-14006 CVE-2019-14005 CVE-2019-14004 CVE-2019-14003 CVE-2019-14002 CVE-2019-10611 CVE-2019-10606 CVE-2019-10602 CVE-2019-10585 CVE-2019-10583 CVE-2019-10582 CVE-2019-10581 CVE-2019-10579 CVE-2019-10578 CVE-2019-10558 CVE-2019-10548 CVE-2019-10532 CVE-2019-2267 CVE-2018-20856 CVE-2018-11843 Member content until: Thursday, February 6 2020 Reference: ESB-2019.4676 ESB-2019.3846 ESB-2019.3084 OVERVIEW Android patch level 2020-01-05 has been released, including fixes for multiple critical vulnerabilities. [1] IMPACT Google has provided the following information on the vulnerabilities fixed in this patch level: "Framework The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Updated AOSP versions CVE-2020-0001 A-140055304 EoP Moderate 10 EoP High 8.0, 8.1, 9 CVE-2020-0003 A-140195904 EoP High 8.0 CVE-2020-0004 A-120847476 DoS High 8.0, 8.1, 9, 10 Media framework The vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2020-0002 A-142602711 RCE Moderate 10 RCE Critical 8.0, 8.1, 9 System The most severe vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed. CVE References Type Severity Updated AOSP versions CVE-2020-0006 A-139738828 ID High 8.0, 8.1, 9, 10 CVE-2020-0007 A-141890807 ID High 8.0, 8.1, 9, 10 CVE-2020-0008 A-142558228 ID High 8.0, 8.1, 9, 10 Google Play system updates The following issue is included in Project Mainline components. Component CVE Media codecs CVE-2020-0002 2020-01-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-01-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability , severity , component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Kernel components The most severe vulnerability in this section could enable a proximate attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2019-17666 A-142967706 RCE Critical Realtek rtlwifi driver Upstream kernel CVE-2018-20856 A-138921316 EoP High Kernel Upstream kernel CVE-2019-15214 A-140920734 EoP High Sound subsystem Upstream kernel CVE-2020-0009 A-142938932 * EoP High ashmem Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2018-11843 A-111126051 N/A High WLAN host QC-CR#2216751 CVE-2019-10558 A-142268223 N/A High Kernel QC-CR#2355428 CVE-2019-10581 A-142267478 N/A High Audio QC-CR#2451619 CVE-2019-10585 A-142267685 N/A High Kernel QC-CR#2457975 CVE-2019-10602 A-142270161 N/A High Display QC-CR#2165926 [ 2 ] CVE-2019-10606 A-142269492 N/A High Kernel QC-CR#2192810 [ 2 ] CVE-2019-14010 A-142269847 N/A High Audio QC-CR#2465851 [ 2 ] CVE-2019-14023 A-142270139 N/A High Kernel QC-CR#2493328 CVE-2019-14024 A-142269993 N/A High NFC QC-CR#2494103 CVE-2019-14034 A-142270258 N/A High Camera QC-CR#2491649 [ 2 ] [ 3 ] CVE-2019-14036 A-142269832 N/A High WLAN host QC-CR#2200862 Qualcomm closed-source components These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-2267 A-132108182 * N/A High Closed-source component CVE-2019-10548 A-137030896 * N/A High Closed-source component CVE-2019-10532 A-142271634 * N/A High Closed-source component CVE-2019-10578 A-142268949 * N/A High Closed-source component CVE-2019-10579 A-142271692 * N/A High Closed-source component CVE-2019-10582 A-130574302 * N/A High Closed-source component CVE-2019-10583 A-131180394 * N/A High Closed-source component CVE-2019-10611 A-142271615 * N/A High Closed-source component CVE-2019-14002 A-142271274 * N/A High Closed-source component CVE-2019-14003 A-142271498 * N/A High Closed-source component CVE-2019-14004 A-142271848 * N/A High Closed-source component CVE-2019-14005 A-142271965 * N/A High Closed-source component CVE-2019-14006 A-142271827 * N/A High Closed-source component CVE-2019-14008 A-142271609 * N/A High Closed-source component CVE-2019-14013 A-142271944 * N/A High Closed-source component CVE-2019-14014 A-142270349 * N/A High Closed-source component CVE-2019-14016 A-142270646 * N/A High Closed-source component CVE-2019-14017 A-142271515 * N/A High Closed-source component" [1] MITIGATION Google advises updating Android devices to the 2020-01-05 patch level or later to address these vulnerabilities. Please check with your device manufacturer for an estimation of when they'll release a version of the OS at this patch level. [1] REFERENCES [1] Android Security Bulletin - January 2020 https://source.android.com/security/bulletin/2020-01-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXhQcLmaOgq3Tt24GAQjSxRAAsHq+dlAKmnGLarZlYgJejtWccbEInt/+ KxD3m5m4GecxwLXMa3BuHnkAFZ0Qqo2mfHDAWMKcwaPm464MRd755HR4Fizc534E VZBzua5Lu5JB3Lp4nCM/q3gRa5sQMchLSu7BEEzEK0vzxTGwyCDyip//cZ0Hr2R4 GOZFX/HS48dVOY1s57kv2KkMiD0OkIoKyTt8egGd8RiE7/YhdGw1Arc6pX028oFN +RpnR8WOpVr+ULWQYgliBXeQf5/Z11kvQ9E6E4ooj662LfP/Ync3eFWMCTcWlTsI pUPgS0mZrIleCsgTBQlf0O8TbZbJNQfK6Gej9xlacxUgoBS1DkSjVq9iMGzSivxW 2fXPz55YlDxcBfywG9/iks/n/hnFao+4q64GF53d4xbIc/MeGbhyG9JMtrx+QCoE oQ9wVKgOdEK6ZBMB2g9LhRlGKm0l3fupAf3INRLIUyI9FK74Yi4m/9EFYmUb+GYD y8b5uW5jk1homVWi+c3278SJfOjmangyxkeVQ66Uok/493zLzXxEXJWEryAg6FPn RGjwjGgc8ROdPfWh2/uaSjyu0OX2KS/SL1OC4vWYaj5Fi3SbVBCOtzm5weuPAytD Hs2fOAJhj1nHVsQG0iN2ykWRmCHx/NLKfIOUrqS7wDKQLtMqCzgjuZ8yPyhdk+af 6XT1eIdmA/c= =Qhkb -----END PGP SIGNATURE-----