Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0069 Android Security Bulletin—April 2020 7 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Android Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-3651 CVE-2020-0082 CVE-2020-0081 CVE-2020-0080 CVE-2020-0079 CVE-2020-0078 CVE-2020-0077 CVE-2020-0076 CVE-2020-0075 CVE-2020-0073 CVE-2020-0072 CVE-2020-0071 CVE-2020-0070 CVE-2019-19807 CVE-2019-19532 CVE-2019-19524 CVE-2019-14135 CVE-2019-14134 CVE-2019-14132 CVE-2019-14131 CVE-2019-14127 CVE-2019-14122 CVE-2019-14114 CVE-2019-14113 CVE-2019-14112 CVE-2019-14111 CVE-2019-14110 CVE-2019-14105 CVE-2019-14104 CVE-2019-14075 CVE-2019-14070 CVE-2019-14033 CVE-2019-14022 CVE-2019-14021 CVE-2019-14020 CVE-2019-14019 CVE-2019-14018 CVE-2019-14012 CVE-2019-14011 CVE-2019-14009 CVE-2019-14007 CVE-2019-14001 CVE-2019-10610 CVE-2019-10609 CVE-2019-10608 CVE-2019-10589 CVE-2019-10588 CVE-2019-10575 CVE-2019-10551 CVE-2019-10483 CVE-2019-9936 CVE-2019-8457 CVE-2019-5018 CVE-2019-2056 Member content until: Thursday, May 7 2020 Reference: ASB-2020.0018 ASB-2020.0017 ESB-2020.0851 ESB-2020.0830 ESB-2020.0766 ESB-2020.0719 OVERVIEW Android patch level 2020-04-05 has been released, including fixes for multiple critical vulnerabilities. Google state that "The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed." [1] IMPACT Google has provided the following information on the vulnerabilities fixed in this patch level: "2020-04-01 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-04-01 patch level. Vulnerabilities are grouped under the component they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability , severity , and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Framework The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Updated AOSP versions CVE-2020-0080 A-144092031 EoP High 10 CVE-2020-0081 A-144028297 EoP High 8.0, 8.1, 9, 10 CVE-2020-0082 A-140417434 EoP High 10 CVE-2019-5018 A-140180629 EoP High 8.0, 8.1, 9, 10 CVE-2019-8457 A-140182003 ID High 8.0, 8.1, 9, 10 CVE-2019-9936 A-140181188 ID Moderate 8.0, 8.1, 9, 10 Media framework The most severe vulnerability in the following section could enable a local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2020-0078 A-144766455 EoP High 9, 10 CVE-2020-0079 A-144506242 EoP High 9, 10 System The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2020-0070 A-148159613 RCE Critical 8.0, 8.1, 9, 10 CVE-2020-0071 A-147310721 RCE Critical 8.0, 8.1, 9, 10 CVE-2020-0072 A-147310271 RCE Critical 8.0, 8.1, 9, 10 CVE-2020-0073 A-147309942 RCE Critical 8.0, 8.1, 9, 10 Google Play system updates There are no security issues addressed in Google Play system updates this month. 2020-04-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-04-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability , severity , component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Framework The vulnerability in this section could enable a local attacker to gain access to sensitive data. CVE References Type Severity Updated AOSP versions CVE-2019-2056 A-140879284 * ID High 10 Kernel components The most severe vulnerability in this section could enable a local attacker using a specially crafted USB device to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2019-19524 A-146258053 EoP High USB input driver Upstream kernel CVE-2019-19532 A-146258320 EoP High USB HID drivers Upstream kernel CVE-2019-19807 A-146482218 EoP High Audio Subsystem Upstream kernel FPC components The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Component CVE-2020-0076 A-146056878 * EoP High FPC Iris TZ App CVE-2020-0075 A-146057864 * ID Moderate FPC Iris TZ App CVE-2020-0077 A-146055840 * ID Moderate FPC Iris TZ App Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-14131 A-147103218 N/A Critical WLAN QC-CR#2564485 CVE-2019-14070 A-147101660 N/A High Audio QC-CR#2508568 [ 2 ] CVE-2019-14104 A-147103377 N/A High Camera QC-CR#2245986 CVE-2019-14122 A-147102901 N/A High Kernel QC-CR#2538911 CVE-2019-14132 A-147104052 N/A High Video QC-CR#2455671 CVE-2020-3651 A-148816872 N/A High WLAN QC-CR#2291442 Qualcomm closed-source components These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-10575 A-142272251 * N/A Critical Closed-source component CVE-2019-10588 A-142271575 * N/A Critical Closed-source component CVE-2019-10609 A-142269795 * N/A Critical Closed-source component CVE-2019-14110 A-147104254 * N/A Critical Closed-source component CVE-2019-14111 A-147103017 * N/A Critical Closed-source component CVE-2019-14112 A-147102781 * N/A Critical Closed-source component CVE-2019-14113 A-147103217 * N/A Critical Closed-source component CVE-2019-14114 A-147102843 * N/A Critical Closed-source component CVE-2019-10483 A-142270890 * N/A High Closed-source component CVE-2019-10551 A-142270356 * N/A High Closed-source component CVE-2019-10589 A-142271556 * N/A High Closed-source component CVE-2019-10608 A-142270891 * N/A High Closed-source component CVE-2019-10610 A-142271388 * N/A High Closed-source component CVE-2019-14001 A-142272252 * N/A High Closed-source component CVE-2019-14007 A-142269788 * N/A High Closed-source component CVE-2019-14009 A-142271546 * N/A High Closed-source component CVE-2019-14011 A-142268825 * N/A High Closed-source component CVE-2019-14012 A-142270102 * N/A High Closed-source component CVE-2019-14018 A-142271911 * N/A High Closed-source component CVE-2019-14019 A-142272129 * N/A High Closed-source component CVE-2019-14020 A-142271277 * N/A High Closed-source component CVE-2019-14021 A-142271809 * N/A High Closed-source component CVE-2019-14022 A-142271458 * N/A High Closed-source component CVE-2019-14033 A-142271279 * N/A High Closed-source component CVE-2019-14075 A-145546514 * N/A High Closed-source component CVE-2019-14105 A-147104252 * N/A High Closed-source component CVE-2019-14127 A-147103871 * N/A High Closed-source component CVE-2019-14134 A-147102923 * N/A High Closed-source component CVE-2019-14135 A-147104050 * N/A High Closed-source component CVE-2020-3651 A-148816543 * N/A High Closed-source component" [1] MITIGATION Google advises that the "The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2020-04-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version ." [1] REFERENCES [1] Android Security Bulletin—April 2020 https://source.android.com/security/bulletin/2020-04-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXou5iWaOgq3Tt24GAQjmjg/+N65Vt+r0wuvht+fd5kyt5axkJHbl+Wao yPigyF5L9mOKOsWGvonX2AWPfkaDoMjtc9e2gfL3H/4Tnodu/NbOwZv36krItxx5 DgWgInAf8v4EoGS/gXSyOH0h9EleprRlLJSLQ3kNFGMzv4z17UJgzQfVqJ5GgxPD Bw69b/Y+CKfOVOrNuDJKhccehxlzKol1xsemESuAKBri8L0AfC9WQvWLA1evEG0K fXWaHZ/UE+2t+LkCsV0qMvW82zcjI7wMvtTixHwqau1lZdHPsneBAnKZKlM7CKEo 5w/g+DQxsRiFTLqpKO1TZ9fXgY2xqzakV58vxmxIHBzCS7sDNzuL8zpEkyXHbF67 dtRda1aZkOMs8S+1s5SddPVvrZxBu0kTouJ+JTsH5Xup1Q6CItR4hSnh0FGoLDP4 x5tUxYD5be50DHUdpp9PEfHJydBltIW6yf9ce6qTk5vTFu0vBYvCYgK3yC8jjabE +C6jJvyWMRZZI+E2jm089BwJVM8/taIDIKC29ubhPGcFW6a5DA3uIlAgbjmtBiy+ EWPllFBZTrQaR0wmzCH2uPTkr128c5x7JJ8qFcEE4DVsHi/H26PE1X3mf+d8R+fd Io4KrvyCjguAoJZJ6V+tgso4K+8fhwC2nGVcCSN8dGnEhI6ZHxutlrLPUVlFTqqZ EKYvQSIT9OU= =SLp9 -----END PGP SIGNATURE-----