Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2020.0051
Android Security Bulletin - March 2020
5 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Android
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-0069 CVE-2020-0044 CVE-2020-0043
CVE-2020-0042 CVE-2020-0041 CVE-2020-0040
CVE-2020-0039 CVE-2020-0038 CVE-2020-0037
CVE-2020-0036 CVE-2020-0035 CVE-2020-0034
CVE-2020-0033 CVE-2020-0032 CVE-2020-0031
CVE-2020-0029 CVE-2020-0012 CVE-2020-0011
CVE-2020-0010 CVE-2019-19537 CVE-2019-19527
CVE-2019-14098 CVE-2019-14097 CVE-2019-14095
CVE-2019-14086 CVE-2019-14085 CVE-2019-14083
CVE-2019-14082 CVE-2019-14081 CVE-2019-14079
CVE-2019-14072 CVE-2019-14071 CVE-2019-14068
CVE-2019-14061 CVE-2019-14050 CVE-2019-14048
CVE-2019-14045 CVE-2019-14032 CVE-2019-14031
CVE-2019-14030 CVE-2019-14029 CVE-2019-14028
CVE-2019-14027 CVE-2019-14026 CVE-2019-14015
CVE-2019-14000 CVE-2019-10616 CVE-2019-10612
CVE-2019-10604 CVE-2019-10603 CVE-2019-10594
CVE-2019-10593 CVE-2019-10591 CVE-2019-10587
CVE-2019-10586 CVE-2019-10577 CVE-2019-10569
CVE-2019-10554 CVE-2019-10553 CVE-2019-10552
CVE-2019-10550 CVE-2019-10549 CVE-2019-10546
CVE-2019-10526 CVE-2019-2317 CVE-2019-2311
CVE-2019-2300 CVE-2019-2194 CVE-2018-11970
CVE-2018-11838
Member content until: Friday, April 3 2020
Reference: https://source.android.com/security/bulletin/2020-03-01
OVERVIEW
Android patch level 2020-03-05 has been released, including fixes for
multiple critical vulnerabilities.
Google state that "The most severe of these issues is a critical security vulnerability
in themedia framework that could enable a remote attacker using a specially crafted
file to execute arbitrary code within the context of a privileged process. The
severity assessment is based on the effect that exploiting the vulnerability
would possibly have on an affected device, assuming the platform and service
mitigations are turned off for development purposes or if successfully
bypassed."[1]
IMPACT
Google has provided the following information on the vulnerabilities
fixed in this patch level:
"2020-03-01 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2020-03-01 patch level. Vulnerabilities are
grouped under the component that they affect. Issues are described in the
tables below and include CVE ID, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID. Devices with Android 10
and later may receive security updates as well as Google Play system updates .
Framework
The vulnerability in this section could enable a local malicious application to
bypass operating system protections that isolate application data from other
applications.
CVE References Type Severity Updated AOSP versions
CVE-2020-0031 A-141703197 ID High 10
Media framework
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2020-0032 A-145364230 RCE Critical 8.0, 8.1, 9, 10
CVE-2020-0033 A-144351324 EoP High 8.0, 8.1, 9, 10
CVE-2020-0034 A-62458770 ID High 8.0, 8.1
System
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2020-0036 A-144679405 EoP High 8.0, 8.1, 9, 10
CVE-2019-2194 A-137284057 EoP High 9
CVE-2020-0035 A-140622024 ID High 8.0, 8.1, 9
CVE-2020-0029 A-140065828 ID High 10
CVE-2020-0037 A-143106535 ID High 8.0, 8.1, 9, 10
CVE-2020-0038 A-143109193 ID High 8.0, 8.1, 9, 10
CVE-2020-0039 A-143155861 ID High 8.0, 8.1, 9, 10
Google Play system updates
The following issue is included in Project Mainline components.
Component CVE
Media codecs CVE-2020-0032
2020-03-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2020-03-05 patch level. Vulnerabilities are
grouped under the component they affect and include details such as the CVE,
associated references, type of vulnerability , severity , component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
System
The vulnerability in the following sections could enable a local attacker using
a specially crafted file to execute arbitrary code within the context of a
privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2019-2194 A-137284057 EoP High 9
Kernel components
The most severe vulnerability in this section could enable a local attacker
using a specially crafted USB device to execute arbitrary code within the
context of a privileged process.
CVE References Type Severity Component
CVE-2019-19527 A-146257915 EoP High USB
Upstream kernel [ 2 ]
CVE-2019-19537 A-146258055 EoP High USB
Upstream kernel
CVE-2020-0040 A-143009752 EoP High Networking
Upstream kernel
CVE-2020-0041 A-145988638 EoP High Binder
Upstream kernel
FPC components
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Component
CVE-2020-0010 A-137014293 * EoP High FPC Fingerprint TEE
CVE-2020-0011 A-137648045 * EoP High FPC Fingerprint TEE
CVE-2020-0012 A-137648844 * EoP High FPC Fingerprint TEE
CVE-2020-0042 A-137649599 * ID Moderate FPC Fingerprint TEE
CVE-2020-0043 A-137650218 * ID Moderate FPC Fingerprint TEE
CVE-2020-0044 A-137650219 * ID Moderate FPC Fingerprint TEE
MediaTek components
CVE References Type Severity Component
CVE-2020-0069 A-147882143 * EoP High Mediatek Command Queue driver
M-ALPS04356754
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2019-14079 A-138848422 N/A High USB
QC-CR#2521001
CVE-2018-11838 A-145545090 N/A High WLAN
QC-CR#221457 [ 2 ]
A-145544085
CVE-2019-10526 QC-CR#2232526 N/A High WLAN
QC-CR#2541970
CVE-2019-10569 A-145545820 N/A High Audio
QC-CR#2315791
CVE-2019-14029 A-145546793 N/A High Graphics
QC-CR#2528795
CVE-2019-14032 A-145546652 N/A High Audio
QC-CR#2537311
CVE-2019-14068 A-145546435 N/A High Audio
QC-CR#2507653 [ 2 ]
CVE-2019-14072 A-145545251 N/A High Graphics
QC-CR#2509391
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.
CVE References Type Severity Component
CVE-2019-2317 A-134436812 * N/A Critical Closed-source component
CVE-2019-10586 A-140423909 * N/A Critical Closed-source component
CVE-2019-10587 A-140423816 * N/A Critical Closed-source component
CVE-2019-10593 A-140424165 * N/A Critical Closed-source component
CVE-2019-10594 A-140424564 * N/A Critical Closed-source component
CVE-2019-10612 A-140423161 * N/A Critical Closed-source component
CVE-2019-14031 A-142271912 * N/A Critical Closed-source component
CVE-2019-14045 A-140973418 * N/A Critical Closed-source component
CVE-2019-14071 A-145545489 * N/A Critical Closed-source component
CVE-2019-14083 A-140973259 * N/A Critical Closed-source component
CVE-2019-14086 A-140973417 * N/A Critical Closed-source component
CVE-2019-14030 A-145546515 * N/A Critical Closed-source component
CVE-2019-14097 A-145546003 * N/A Critical Closed-source component
CVE-2019-14098 A-145546314 * N/A Critical Closed-source component
CVE-2019-10546 A-145545250 * N/A Critical Closed-source component
CVE-2019-14095 A-142843397 * N/A Critical Closed-source component
CVE-2018-11970 A-114042111 * N/A High Closed-source component
CVE-2019-10603 A-140424074 * N/A High Closed-source component
CVE-2019-10616 A-140423338 * N/A High Closed-source component
CVE-2019-10549 A-140423162 * N/A High Closed-source component
CVE-2019-10550 A-140423702 * N/A High Closed-source component
CVE-2019-10552 A-140423817 * N/A High Closed-source component
CVE-2019-10553 A-140423081 * N/A High Closed-source component
CVE-2019-10554 A-140424012 * N/A High Closed-source component
CVE-2019-10577 A-140424166 * N/A High Closed-source component
CVE-2019-14026 A-142271986 * N/A High Closed-source component
CVE-2019-14027 A-142271756 * N/A High Closed-source component
CVE-2019-14028 A-142271831 * N/A High Closed-source component
CVE-2019-2300 A-142271659 * N/A High Closed-source component
CVE-2019-2311 A-142271967 * N/A High Closed-source component
CVE-2019-14050 A-143902706 * N/A High Closed-source component
CVE-2019-14081 A-143902882 * N/A High Closed-source component
CVE-2019-14082 A-140974589 * N/A High Closed-source component
CVE-2019-14085 A-143902807 * N/A High Closed-source component
CVE-2019-14048 A-145545282 * N/A High Closed-source component
CVE-2019-14061 A-145545758 * N/A High Closed-source component
CVE-2019-10604 A-145545725 * N/A High Closed-source component
CVE-2019-10591 A-145545283 * N/A High Closed-source component
CVE-2019-14000 A-145546434 * N/A High Closed-source component
CVE-2019-14015 A-145545650 * N/A High Closed-source component" [1]
MITIGATION
Google advises that the "Android Security Bulletin contains details of security
vulnerabilities affecting Android devices. Security patch levels of 2020-03-05
or later address all of these issues. To learn how to check a device's security
patch level, see Check and update your Android version." [1]
REFERENCES
[1] Android Security Bulletin - March 2020
https://source.android.com/security/bulletin/2020-03-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXmBbmWaOgq3Tt24GAQhbPRAAqa5ObJHwpMnh1NITe5JXJIgbk1yStt57
COAN/uXq/wEkx9KfeNrHEIILVP7RYFlFfCAapNdbTjRWewgz61Km/RiB7snnQ7Tw
VhLa8cQG4fqFLvCU7KmgBxq6/ncIJj79unETro89iIAFmLgBsqtIN7wHPGDvhRtU
Hqb2v57raYtKIFOgmpYfCUYFNmOHVoKAJXZcpxrQr5nBP/Paxo9ater00r02cCQl
9B6itd5VtnQLIPkYdDDOqej1WSzFTnroIMb/9lZ6EguMwxvVmSWSKLmK4H+xjHRQ
TkJajt515H7WGl8QnAk74L+0CiCkUTAvHUA+ksKpejVhbYi3iBxqpncsy4fmoNfM
Ioa5dnvromwChmWGbQJ/QFXbYPMnD92/4oqCDM7mBOhsoCAtpnU3bO2J/j+nRmpu
KAqK6v6xV03gXemdDXWdPRbX6v92nlS53XS/2SjIoOJl90Ryk3ZdyqMoO4PTd3Uf
3Kzm7qUIyzvUfbpnz3ZiWvddu8YwWxb8Pqf01ydnKfbSTtYUjMznG4YVqD6QrQky
uKHwRSlAKLGz3+5oykQRb/BGDZDOYSFsrkXHVHgDczhUg3llwqMGGmBkcFgRjTNw
jU7taYRu3jUETgXWRiZC9zVNfXfI1Lgl3e7ldy13lUCv9LONxoo4R5WQsdM1Q3uQ
ehPR2O7klWA=
=Rngq
-----END PGP SIGNATURE-----