Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2020.0069
Android Security Bulletin—April 2020
7 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Android
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-3651 CVE-2020-0082 CVE-2020-0081
CVE-2020-0080 CVE-2020-0079 CVE-2020-0078
CVE-2020-0077 CVE-2020-0076 CVE-2020-0075
CVE-2020-0073 CVE-2020-0072 CVE-2020-0071
CVE-2020-0070 CVE-2019-19807 CVE-2019-19532
CVE-2019-19524 CVE-2019-14135 CVE-2019-14134
CVE-2019-14132 CVE-2019-14131 CVE-2019-14127
CVE-2019-14122 CVE-2019-14114 CVE-2019-14113
CVE-2019-14112 CVE-2019-14111 CVE-2019-14110
CVE-2019-14105 CVE-2019-14104 CVE-2019-14075
CVE-2019-14070 CVE-2019-14033 CVE-2019-14022
CVE-2019-14021 CVE-2019-14020 CVE-2019-14019
CVE-2019-14018 CVE-2019-14012 CVE-2019-14011
CVE-2019-14009 CVE-2019-14007 CVE-2019-14001
CVE-2019-10610 CVE-2019-10609 CVE-2019-10608
CVE-2019-10589 CVE-2019-10588 CVE-2019-10575
CVE-2019-10551 CVE-2019-10483 CVE-2019-9936
CVE-2019-8457 CVE-2019-5018 CVE-2019-2056
Member content until: Thursday, May 7 2020
Reference: ASB-2020.0018
ASB-2020.0017
ESB-2020.0851
ESB-2020.0830
ESB-2020.0766
ESB-2020.0719
OVERVIEW
Android patch level 2020-04-05 has been released, including fixes
for multiple critical vulnerabilities.
Google state that "The most severe of these issues is a critical
security vulnerability in the System component that could enable a
remote attacker using a specially crafted file to execute arbitrary
code within the context of a privileged process. The severity
assessment is based on the effect that exploiting the vulnerability
would possibly have on an affected device, assuming the platform and
service mitigations are turned off for development purposes or if
successfully bypassed." [1]
IMPACT
Google has provided the following information on the vulnerabilities
fixed in this patch level:
"2020-04-01 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2020-04-01 patch level.
Vulnerabilities are grouped under the component they affect. There
is a description of the issue and a table with the CVE, associated
references, type of vulnerability , severity , and updated AOSP
versions (where applicable). When available, we link the public
change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug,
additional references are linked to numbers following the bug ID.
Framework
The most severe vulnerability in this section could enable a local
malicious application to bypass user interaction requirements in
order to gain access to additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2020-0080 A-144092031 EoP High 10
CVE-2020-0081 A-144028297 EoP High 8.0, 8.1, 9, 10
CVE-2020-0082 A-140417434 EoP High 10
CVE-2019-5018 A-140180629 EoP High 8.0, 8.1, 9, 10
CVE-2019-8457 A-140182003 ID High 8.0, 8.1, 9, 10
CVE-2019-9936 A-140181188 ID Moderate 8.0, 8.1, 9, 10
Media framework
The most severe vulnerability in the following section could enable
a local attacker using a specially crafted file to execute arbitrary
code within the context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2020-0078 A-144766455 EoP High 9, 10
CVE-2020-0079 A-144506242 EoP High 9, 10
System
The most severe vulnerability in this section could enable a remote
attacker using a specially crafted file to execute arbitrary code
within the context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2020-0070 A-148159613 RCE Critical 8.0, 8.1, 9, 10
CVE-2020-0071 A-147310721 RCE Critical 8.0, 8.1, 9, 10
CVE-2020-0072 A-147310271 RCE Critical 8.0, 8.1, 9, 10
CVE-2020-0073 A-147309942 RCE Critical 8.0, 8.1, 9, 10
Google Play system updates
There are no security issues addressed in Google Play system updates
this month.
2020-04-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2020-04-05 patch level.
Vulnerabilities are grouped under the component they affect and
include details such as the CVE, associated references, type of
vulnerability , severity , component (where applicable), and updated
AOSP versions (where applicable). When available, we link the public
change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug,
additional references are linked to numbers following the bug ID.
Framework
The vulnerability in this section could enable a local attacker to
gain access to sensitive data.
CVE References Type Severity Updated AOSP versions
CVE-2019-2056 A-140879284 * ID High 10
Kernel components
The most severe vulnerability in this section could enable a local
attacker using a specially crafted USB device to execute arbitrary
code within the context of a privileged process.
CVE References Type Severity Component
CVE-2019-19524 A-146258053 EoP High USB input driver
Upstream kernel
CVE-2019-19532 A-146258320 EoP High USB HID drivers
Upstream kernel
CVE-2019-19807 A-146482218 EoP High Audio Subsystem
Upstream kernel
FPC components
The most severe vulnerability in this section could enable a local
malicious application to bypass user interaction requirements in
order to gain access to additional permissions.
CVE References Type Severity Component
CVE-2020-0076 A-146056878 * EoP High FPC Iris TZ App
CVE-2020-0075 A-146057864 * ID Moderate FPC Iris TZ App
CVE-2020-0077 A-146055840 * ID Moderate FPC Iris TZ App
Qualcomm components
These vulnerabilities affect Qualcomm components and are described
in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided
directly by Qualcomm.
CVE References Type Severity Component
CVE-2019-14131 A-147103218 N/A Critical WLAN
QC-CR#2564485
CVE-2019-14070 A-147101660 N/A High Audio
QC-CR#2508568 [ 2 ]
CVE-2019-14104 A-147103377 N/A High Camera
QC-CR#2245986
CVE-2019-14122 A-147102901 N/A High Kernel
QC-CR#2538911
CVE-2019-14132 A-147104052 N/A High Video
QC-CR#2455671
CVE-2020-3651 A-148816872 N/A High WLAN
QC-CR#2291442
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and
are described in further detail in the appropriate Qualcomm security
bulletin or security alert. The severity assessment of these issues
is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2019-10575 A-142272251 * N/A Critical Closed-source component
CVE-2019-10588 A-142271575 * N/A Critical Closed-source component
CVE-2019-10609 A-142269795 * N/A Critical Closed-source component
CVE-2019-14110 A-147104254 * N/A Critical Closed-source component
CVE-2019-14111 A-147103017 * N/A Critical Closed-source component
CVE-2019-14112 A-147102781 * N/A Critical Closed-source component
CVE-2019-14113 A-147103217 * N/A Critical Closed-source component
CVE-2019-14114 A-147102843 * N/A Critical Closed-source component
CVE-2019-10483 A-142270890 * N/A High Closed-source component
CVE-2019-10551 A-142270356 * N/A High Closed-source component
CVE-2019-10589 A-142271556 * N/A High Closed-source component
CVE-2019-10608 A-142270891 * N/A High Closed-source component
CVE-2019-10610 A-142271388 * N/A High Closed-source component
CVE-2019-14001 A-142272252 * N/A High Closed-source component
CVE-2019-14007 A-142269788 * N/A High Closed-source component
CVE-2019-14009 A-142271546 * N/A High Closed-source component
CVE-2019-14011 A-142268825 * N/A High Closed-source component
CVE-2019-14012 A-142270102 * N/A High Closed-source component
CVE-2019-14018 A-142271911 * N/A High Closed-source component
CVE-2019-14019 A-142272129 * N/A High Closed-source component
CVE-2019-14020 A-142271277 * N/A High Closed-source component
CVE-2019-14021 A-142271809 * N/A High Closed-source component
CVE-2019-14022 A-142271458 * N/A High Closed-source component
CVE-2019-14033 A-142271279 * N/A High Closed-source component
CVE-2019-14075 A-145546514 * N/A High Closed-source component
CVE-2019-14105 A-147104252 * N/A High Closed-source component
CVE-2019-14127 A-147103871 * N/A High Closed-source component
CVE-2019-14134 A-147102923 * N/A High Closed-source component
CVE-2019-14135 A-147104050 * N/A High Closed-source component
CVE-2020-3651 A-148816543 * N/A High Closed-source component" [1]
MITIGATION
Google advises that the "The Android Security Bulletin contains
details of security vulnerabilities affecting Android devices.
Security patch levels of 2020-04-05 or later address all of these
issues. To learn how to check a device's security patch level, see
Check and update your Android version ." [1]
REFERENCES
[1] Android Security Bulletin—April 2020
https://source.android.com/security/bulletin/2020-04-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXou5iWaOgq3Tt24GAQjmjg/+N65Vt+r0wuvht+fd5kyt5axkJHbl+Wao
yPigyF5L9mOKOsWGvonX2AWPfkaDoMjtc9e2gfL3H/4Tnodu/NbOwZv36krItxx5
DgWgInAf8v4EoGS/gXSyOH0h9EleprRlLJSLQ3kNFGMzv4z17UJgzQfVqJ5GgxPD
Bw69b/Y+CKfOVOrNuDJKhccehxlzKol1xsemESuAKBri8L0AfC9WQvWLA1evEG0K
fXWaHZ/UE+2t+LkCsV0qMvW82zcjI7wMvtTixHwqau1lZdHPsneBAnKZKlM7CKEo
5w/g+DQxsRiFTLqpKO1TZ9fXgY2xqzakV58vxmxIHBzCS7sDNzuL8zpEkyXHbF67
dtRda1aZkOMs8S+1s5SddPVvrZxBu0kTouJ+JTsH5Xup1Q6CItR4hSnh0FGoLDP4
x5tUxYD5be50DHUdpp9PEfHJydBltIW6yf9ce6qTk5vTFu0vBYvCYgK3yC8jjabE
+C6jJvyWMRZZI+E2jm089BwJVM8/taIDIKC29ubhPGcFW6a5DA3uIlAgbjmtBiy+
EWPllFBZTrQaR0wmzCH2uPTkr128c5x7JJ8qFcEE4DVsHi/H26PE1X3mf+d8R+fd
Io4KrvyCjguAoJZJ6V+tgso4K+8fhwC2nGVcCSN8dGnEhI6ZHxutlrLPUVlFTqqZ
EKYvQSIT9OU=
=SLp9
-----END PGP SIGNATURE-----