Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0033 Android security update for February 2020 4 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Android Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-0030 CVE-2020-0028 CVE-2020-0027 CVE-2020-0026 CVE-2020-0023 CVE-2020-0022 CVE-2020-0021 CVE-2020-0020 CVE-2020-0018 CVE-2020-0017 CVE-2020-0015 CVE-2020-0014 CVE-2020-0005 CVE-2019-14063 CVE-2019-14060 CVE-2019-14057 CVE-2019-14055 CVE-2019-14051 CVE-2019-14049 CVE-2019-14046 CVE-2019-14044 CVE-2019-11599 CVE-2019-10590 CVE-2019-10567 CVE-2019-2200 Member content until: Thursday, March 5 2020 Reference: ESB-2020.0228 ESB-2019.4110 ESB-2019.3590 ESB-2019.3313 ESB-2019.2626 ESB-2019.3334.2 OVERVIEW Android patch level 2020-02-05 has been released, including fixes for multiple critical vulnerabilities. [1] IMPACT Google has provided the following information on the vulnerabilities fixed in this patch level: "Framework The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Updated AOSP versions CVE-2020-0014 A-128674520 EoP High 8.0, 8.1, 9, 10 CVE-2020-0015 A-139017101 EoP High 8.0, 8.1, 9, 10 CVE-2019-2200 A-67319274 EoP High 10 CVE-2020-0017 A-123232892 ID High 8.0, 8.1, 9, 10 CVE-2020-0018 A-139945049 ID High 8.0, 8.1, 9, 10 CVE-2020-0020 A-143118731 ID High 10 CVE-2020-0021 A-141413692 DoS High 10 System The most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2020-0022 A-143894715 DoS Moderate 10 RCE Critical 8.0, 8.1, 9 CVE-2020-0023 A-145130871 ID Critical 10 CVE-2020-0005 A-141552859 EOP High 8.0, 8.1, 9, 10 CVE-2020-0026 A-140419401 EoP High 8.0, 8.1, 9, 10 CVE-2020-0027 A-144040966 EoP High 8.0, 8.1, 9, 10 CVE-2020-0028 A-122652057 ID High 9 Google Play system updates There are no security issues addressed in Google Play system updates this month. 2020-02-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-02-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability , severity , component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Kernel components The most severe vulnerability in this section could enable a local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2020-0030 A-145286050 EoP High Binder driver Upstream kernel CVE-2019-11599 A-131964235 EoP High Memory Map Subsystem Upstream kernel Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-14044 A-143903491 N/A High Camera QC-CR#2175394 CVE-2019-14046 A-143902999 N/A High Camera QC-CR#2207235 CVE-2019-14049 A-143903513 N/A High Kernel QC-CR#2305531 CVE-2019-14055 A-143902876 N/A High Kernel QC-CR#2352487 CVE-2019-14063 A-143901127 N/A High Audio QC-CR#2491577 CVE-2019-10567 A-140246780 N/A High Graphics QC-CR#2520860 Qualcomm closed-source components These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-10590 A-143903858 * N/A High Closed-source component CVE-2019-14051 A-143902841 * N/A High Closed-source component CVE-2019-14057 A-143903018 * N/A High Closed-source component CVE-2019-14060 A-143903752 * N/A High Closed-source component [1]" MITIGATION Google advises "updating Android devices to the 2020-01-05 patch level or later to address these vulnerabilities." Please check with your device manufacturer for an estimation of when they'll release a version of the OS at this patch level. [1] REFERENCES [1] Android Security Bulletin - February 2020 https://source.android.com/security/bulletin/2020-02-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjjsEWaOgq3Tt24GAQii0Q/9Ge35if+IqHAilsmERUf5rrGD1AGQUh/P yXfBOiARcN2UPwmxSFiz5C32CwSbTcMaIxAqd/DAOlVIiMJzr+08iNvi0EEpi8sI 4oD7c2Gs7UJBpV9f4N+3c9o2rVJZFSjIR3EGIWKo+EXFkV3xNPg5kAoPfzymonD7 +TVh8WuWUcJ6/7C/tKl5FuIvSUBhg2xpXvgPp5E9FGWvveTIQtzzMPuCMq9Kkwzn NDnVZCRN3rn+xj0r0hgde12yhN7y/krXPtss6leZmEpNGNfnOtLKzAKaKfd5hkTX 4Q0VnRMkeMK2LUuMxMKNejc9pbb9xELF+srbL5YpaOAfPoKecoty4FWkSR/plwuq rX6CdCg9AmOxSKFRrSdPU2FA+mlJ48216SnN/CdYlUjDJ2JpgzGmsuR0XjgKu5CQ 6mOw7qKJ44RcMJTd+50TUea1cXX6elCEKSuijwFoUxm+/XLWDnRGeLijXwhVQB2A eFIGs9roqvWNiacxfgMHFN1pbrs1etMQt1CzpN1xNeQFivJ7dAucnYx/xRTGkjH2 c4DUnuI1aB5r1DRVq+nb59VGlnKysB/YjGlxQ6aNRay2qAkI+dbaoPbCq3TdRv/u 3CsXwBj/JUfzOiei8CA3wlldupaUeElobV5VaQkA1X4iQ7LUWr6h0fR0oXNRCOCK zUub6sQ/eEU= =lE4L -----END PGP SIGNATURE-----