-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0405
                  Android Security BulletinFebruary 2017
                             14 February 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Android
Publisher:         Android
Operating System:  Android
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Remote/Unauthenticated
                   Root Compromise                 -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-0451 CVE-2017-0450 CVE-2017-0449
                   CVE-2017-0448 CVE-2017-0447 CVE-2017-0446
                   CVE-2017-0445 CVE-2017-0444 CVE-2017-0443
                   CVE-2017-0442 CVE-2017-0441 CVE-2017-0440
                   CVE-2017-0439 CVE-2017-0438 CVE-2017-0437
                   CVE-2017-0436 CVE-2017-0435 CVE-2017-0434
                   CVE-2017-0433 CVE-2017-0432 CVE-2017-0431
                   CVE-2017-0430 CVE-2017-0429 CVE-2017-0428
                   CVE-2017-0427 CVE-2017-0426 CVE-2017-0425
                   CVE-2017-0424 CVE-2017-0423 CVE-2017-0422
                   CVE-2017-0421 CVE-2017-0420 CVE-2017-0419
                   CVE-2017-0418 CVE-2017-0417 CVE-2017-0416
                   CVE-2017-0415 CVE-2017-0414 CVE-2017-0413
                   CVE-2017-0412 CVE-2017-0411 CVE-2017-0410
                   CVE-2017-0409 CVE-2017-0408 CVE-2017-0407
                   CVE-2017-0406 CVE-2017-0405 CVE-2016-10044
                   CVE-2016-8481 CVE-2016-8480 CVE-2016-8476
                   CVE-2016-8421 CVE-2016-8420 CVE-2016-8419
                   CVE-2016-8418 CVE-2016-8414 CVE-2016-5552
                   CVE-2014-9914  

Reference:         ASB-2017.0005
                   ESB-2017.0391
                   ESB-2017.0388
                   ESB-2017.0375

Original Bulletin: 
   https://source.android.com/security/bulletin/2017-02-01.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Android Security BulletinFebruary 2017

Published February 06, 2017 | Updated February 8, 2017

The Android Security Bulletin contains details of security vulnerabilities 
affecting Android devices. Alongside the bulletin, we have released a security
update to Google devices through an over-the-air (OTA) update. The Google 
device firmware images have also been released to the Google Developer site. 
Security patch levels of February 05, 2017 or later address all of these 
issues. Refer to the Pixel and Nexus update schedule to learn how to check a 
device's security patch level.

Partners were notified of the issues described in the bulletin on January 03,
2017 or earlier. Source code patches for these issues have been released to 
the Android Open Source Project (AOSP) repository and linked from this 
bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a Critical security vulnerability that 
could enable remote code execution on an affected device through multiple 
methods such as email, web browsing, and MMS when processing media files.

We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the Android and Google service mitigations section 
for details on the Android security platform protections and service 
protections such as SafetyNet, which improve the security of the Android 
platform.

We encourage all customers to accept these updates to their devices. 
Announcements

    This bulletin has two security patch level strings to provide Android 
partners with the flexibility to more quickly fix a subset of vulnerabilities
that are similar across all Android devices. See Common questions and answers
for additional information: 2017-02-01: Partial security patch level string. 
This security patch level string indicates that all issues associated with 
2017-02-01 (and all previous security patch level strings) are addressed. 
2017-02-05: Complete security patch level string. This security patch level 
string indicates that all issues associated with 2017-02-01 and 2017-02-05 
(and all previous security patch level strings) are addressed. Supported 
Google devices will receive a single OTA update with the February 05, 2017 
security patch level.

Security vulnerability summary

The tables below contains a list of security vulnerabilities, the Common 
Vulnerability and Exposures ID (CVE), the assessed severity, and whether or 
not Google devices are affected. The severity assessment is based on the 
effect that exploiting the vulnerability would possibly have on an affected 
device, assuming the platform and service mitigations are disabled for 
development purposes or if successfully bypassed. 2017-02-01 security patch 
levelVulnerability summary

Security patch levels of 2017-02-01 or later must address the following 
issues. Issue CVE Severity Affects Google devices? Remote code execution 
vulnerability in Surfaceflinger CVE-2017-0405 Critical Yes Remote code 
execution vulnerability in Mediaserver CVE-2017-0406, CVE-2017-0407 Critical 
Yes Remote code execution vulnerability in libgdx CVE-2017-0408 High Yes 
Remote code execution vulnerability in libstagefright CVE-2017-0409 High Yes 
Elevation of privilege vulnerability in Java.Net CVE-2016-5552 High Yes 
Elevation of privilege vulnerability in Framework APIs CVE-2017-0410, 
CVE-2017-0411, CVE-2017-0412 High Yes Elevation of privilege vulnerability in
Mediaserver CVE-2017-0415 High Yes Elevation of privilege vulnerability in 
Audioserver CVE-2017-0416, CVE-2017-0417, CVE-2017-0418, CVE-2017-0419 High 
Yes Information disclosure vulnerability in AOSP Mail CVE-2017-0420 High Yes 
Information disclosure vulnerability in AOSP Messaging CVE-2017-0413, 
CVE-2017-0414 High Yes Information disclosure vulnerability in Framework APIs
CVE-2017-0421 High Yes Denial of service vulnerability in Bionic DNS 
CVE-2017-0422 High Yes Elevation of privilege vulnerability in Bluetooth 
CVE-2017-0423 Moderate Yes Information disclosure vulnerability in AOSP 
Messaging CVE-2017-0424 Moderate Yes Information disclosure vulnerability in 
Audioserver CVE-2017-0425 Moderate Yes Information disclosure vulnerability in
Filesystem CVE-2017-0426 Moderate Yes 2017-02-05 security patch 
levelVulnerability summary

Security patch levels of 2017-02-05 or later must address all of the 
2017-02-01 issues, as well as the following issues. Issue CVE Severity Affects
Google devices? Remote code execution vulnerability in Qualcomm crypto driver
CVE-2016-8418 Critical No* Elevation of privilege vulnerability in kernel file
system CVE-2017-0427 Critical Yes Elevation of privilege vulnerability in 
NVIDIA GPU driver CVE-2017-0428, CVE-2017-0429 Critical Yes Elevation of 
privilege vulnerability in kernel networking subsystem CVE-2014-9914 Critical
Yes Elevation of privilege vulnerability in Broadcom Wi-Fi driver 
CVE-2017-0430 Critical Yes Vulnerabilities in Qualcomm components 
CVE-2017-0431 Critical No* Elevation of privilege vulnerability in MediaTek 
driver CVE-2017-0432 High No* Elevation of privilege vulnerability in 
Synaptics touchscreen driver CVE-2017-0433, CVE-2017-0434 High Yes Elevation 
of privilege vulnerability in Qualcomm Secure Execution Environment 
Communicator driver CVE-2016-8480 High Yes Elevation of privilege 
vulnerability in Qualcomm sound driver CVE-2016-8481, CVE-2017-0435, 
CVE-2017-0436 High Yes Elevation of privilege vulnerability in Qualcomm Wi-Fi
driver CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, CVE-2016-8419, 
CVE-2016-8420, CVE-2016-8421, CVE-2017-0440, CVE-2017-0441, CVE-2017-0442, 
CVE-2017-0443, CVE-2016-8476 High Yes Elevation of privilege vulnerability in
Realtek sound driver CVE-2017-0444 High Yes Elevation of privilege 
vulnerability in HTC touchscreen driver CVE-2017-0445, CVE-2017-0446, 
CVE-2017-0447 High Yes Information disclosure vulnerability in NVIDIA video 
driver CVE-2017-0448 High Yes Elevation of privilege vulnerability in Broadcom
Wi-Fi driver CVE-2017-0449 Moderate Yes Elevation of privilege vulnerability 
in Audioserver CVE-2017-0450 Moderate Yes Elevation of privilege vulnerability
in kernel file system CVE-2016-10044 Moderate Yes Information disclosure 
vulnerability in Qualcomm Secure Execution Environment Communicator 
CVE-2016-8414 Moderate Yes Information disclosure vulnerability in Qualcomm 
sound driver CVE-2017-0451 Moderate Yes

* Supported Google devices on Android 7.0 or later that have installed all 
available updates are not affected by this vulnerability. Android and Google 
service mitigations

This is a summary of the mitigations provided by the Android security platform
and service protections, such as SafetyNet. These capabilities reduce the 
likelihood that security vulnerabilities could be successfully exploited on 
Android.

    Exploitation for many issues on Android is made more difficult by 
enhancements in newer versions of the Android platform. We encourage all users
to update to the latest version of Android where possible. The Android 
Security team actively monitors for abuse with Verify Apps and SafetyNet, 
which are designed to warn users about Potentially Harmful Applications. 
Verify Apps is enabled by default on devices with Google Mobile Services and 
is especially important for users who install applications from outside of 
Google Play. Device rooting tools are prohibited within Google Play, but 
Verify Apps warns users when they attempt to install a detected rooting 
applicationno matter where it comes from. Additionally, Verify Apps attempts 
to identify and block installation of known malicious applications that 
exploit a privilege escalation vulnerability. If such an application has 
already been installed, Verify Apps will notify the user and attempt to remove
the detected application. As appropriate, Google Hangouts and Messenger 
applications do not automatically pass media to processes such as Mediaserver.

Acknowledgements

We would like to thank these researchers for their contributions:

    Daniel Dakhno: CVE-2017-0420 Daniel Micay of Copperhead Security: 
CVE-2017-0410 Dzmitry Lukyanenka: CVE-2017-0414 Frank Liberato of Chrome: 
CVE-2017-0409 Gal Beniamini of Project Zero: CVE-2017-0411, CVE-2017-0412 
Gengjia Chen (@chengjia4574) and pjf of IceSword Lab, Qihoo 360 Technology Co.
Ltd.: CVE-2017-0434, CVE-2017-0446, CVE-2017-0447, CVE-2017-0432 Guang Gong ()
(@oldfresher) of Alpha Team, Qihoo 360 Technology Co.Ltd: CVE-2017-0415 
Hanxiang Wen, Wenke Dou, Mingjian Zhou ( @Mingjian_Zhou), and Xuxian Jiang of
C0RE Team: CVE-2017-0418 Hao Chen and Guang Gong of Alpha Team, Qihoo 360 
Technology Co. Ltd.: CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, 
CVE-2016-8419, CVE-2016-8420, CVE-2016-8421, CVE-2017-0441, CVE-2017-0442, 
CVE-2016-8476, CVE-2017-0443 Jeff Sharkey of Google: CVE-2017-0421, 
CVE-2017-0423 Jeff Trim: CVE-2017-0422 Jianqiang Zhao ( @jianqiangzhao) and 
pjf of IceSword Lab, Qihoo 360: CVE-2017-0445 ma.la and Nikolay Elenkov of 
LINE Corporation: CVE-2016-5552 Max Spector of Google: CVE-2017-0416 Mingjian
Zhou ( @Mingjian_Zhou), Yuqi Lu ( @nikos233), and Xuxian Jiang of C0RE Team: 
CVE-2017-0425 Qidan He () (@flanker_hqd) and Di Shen () (@returnsme) of 
KeenLab, Tencent (): CVE-2017-0427 Sagi Kedmi of IBM X-Force Research: 
CVE-2017-0433 Scott Bauer (@ScottyBauer1) and Daniel Micay of Copperhead 
Security: CVE-2017-0405 Seven Shen (@lingtongshen) of Trend Micro Mobile 
Threat Research Team: CVE-2017-0449, CVE-2016-8418 Tong Lin, Yuan-Tsung Lo, 
Chiachih Wu ( @chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2017-0436, 
CVE-2016-8481, CVE-2017-0435 V.E.O (@VYSEa) of Mobile Threat Response Team, 
Trend Micro: CVE-2017-0424 Weichao Sun (@sunblate) of Alibaba Inc.: 
CVE-2017-0407 Wenke Dou, Hongli Han, Mingjian Zhou ( @Mingjian_Zhou), and 
Xuxian Jiang of C0RE Team: CVE-2017-0450 Wenke Dou, Yuqi Lu ( @nikos233), 
Mingjian Zhou ( @Mingjian_Zhou), and Xuxian Jiang of C0RE Team: CVE-2017-0417
Wish Wu (@wish_wu) ( ) of Ant-financial Light-Year Security Lab: CVE-2017-0408
     Yao Jun, Yuan-Tsung Lo, Chiachih Wu ( @chiachih_wu), and Xuxian Jiang of
C0RE Team: CVE-2016-8480 Yuan-Tsung Lo, Chiachih Wu ( @chiachih_wu), and 
Xuxian Jiang of C0RE Team: CVE-2017-0444 Yuan-Tsung Lo, Tong Lin, Chiachih Wu
( @chiachih_wu), and Xuxian Jiang of C0RE Team: CVE-2017-0428 Yuan-Tsung Lo, 
Xiaodong Wang, Chiachih Wu ( @chiachih_wu), and Xuxian Jiang of C0RE Team: 
CVE-2017-0448, CVE-2017-0429 Zhen Zhou ( @henices) and Zhixin Li of NSFocus: 
CVE-2017-0406

We would also like to thank the following for their contributions to this 
bulletin:

    Pengfei Ding (), Chenfu Bao (), and Lenx Wei () of Baidu X-Lab ()

2017-02-01 security patch levelVulnerability details

In the sections below, we provide details for each of the security 
vulnerabilities listed in the 2017-02-01 security patch levelVulnerability 
summary above. There is a description of the issue, a severity rationale, and
a table with the CVE, associated references, severity, updated Google devices,
updated AOSP versions (where applicable), and date reported. When available, 
we will link the public change that addressed the issue to the bug ID, like 
the AOSP change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID. Remote code execution 
vulnerability in Surfaceflinger

Remote code execution vulnerability in Surfaceflinger																																																																																																																																																																																																																													

A remote code execution vulnerability in Surfaceflinger could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. 
This issue is rated as Critical due to the possibility of remote code execution within the context of the Surfaceflinger process. 																																																																																																																																																																																																																													
CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0405	A-31960359	Critical	All			7.0, 7.1.1		Oct 4, 2016																																																																																																																																																																																																																								

Remote code execution vulnerability in Mediaserver																																																																																																																																																																																																																													

A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. 
This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. 																																																																																																																																																																																																																													
CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0406	A-32915871 [2]	Critical	All			6.0, 6.0.1, 7.0, 7.1.1	Nov 14, 2016																																																																																																																																																																																																																								
CVE-2017-0407	A-32873375	Critical	All			6.0, 6.0.1, 7.0, 7.1.1	Nov 12, 2016																																																																																																																																																																																																																								

Remote code execution vulnerability in libgdx																																																																																																																																																																																																																													

A remote code execution vulnerability in libgdx could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. 
This issue is rated as High due to the possibility of remote code execution in an application that uses this library. 																																																																																																																																																																																																																													
CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0408	A-32769670	High		All			7.1.1			Nov 9, 2016																																																																																																																																																																																																																								

Remote code execution vulnerability in libstagefright																																																																																																																																																																																																																													

A remote code execution vulnerability in libstagefright could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process. 
This issue is rated as High due to the possibility of remote code execution in an application that uses this library. 																																																																																																																																																																																																																													
CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0409	A-31999646	High		All			6.0, 6.0.1, 7.0, 7.1.1	Google internal																																																																																																																																																																																																																								

Elevation of privilege vulnerability in Java.Net																																																																																																																																																																																																																													
An elevation of privilege in the Java.Net library could enable malicious web content to redirect a user to another website without explicit permission. 
This issue is rated as High because it is a remote bypass of user interaction requirements. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2016-5552	A-31858037	High		All			7.0, 7.1.1		Sep 30, 2016																																																																																																																																																																																																																								

Elevation of privilege vulnerability in Framework APIs																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Framework APIs could enable a local malicious application to execute arbitrary code within the context of a privileged process. 
This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions			Date reported																																																																																																																																																																																																																								
CVE-2017-0410	A-31929765	High		All			5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Oct 2, 2016																																																																																																																																																																																																																								
CVE-2017-0411	A-33042690 [2]	High		All			7.0, 7.1.1				Nov 21, 2016																																																																																																																																																																																																																								
CVE-2017-0412	A-33039926 [2]	High		All			7.0, 7.1.1				Nov 21, 2016																																																																																																																																																																																																																								

Elevation of privilege vulnerability in Mediaserver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. 
This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0415	A-32706020	High		All			6.0, 6.0.1, 7.0, 7.1.1	Nov 4, 2016																																																																																																																																																																																																																								

Elevation of privilege vulnerability in Audioserver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. 
This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions				Date reported																																																																																																																																																																																																																								
CVE-2017-0416	A-32886609 [2]	High		All			4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Google internal																																																																																																																																																																																																																								
CVE-2017-0417	A-32705438	High		All			4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Nov 7, 2016																																																																																																																																																																																																																								
CVE-2017-0418	A-32703959 [2]	High		All			4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Nov 7, 2016																																																																																																																																																																																																																								
CVE-2017-0419	A-32220769	High		All			4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Oct 15, 2016																																																																																																																																																																																																																								

Information disclosure vulnerability in AOSP Mail																																																																																																																																																																																																																													
An information disclosure vulnerability in AOSP Mail could enable a local malicious application to bypass operating system protections that isolate application data from other applications. 
This issue is rated as High because it could be used to gain access to data that the application does not have access to. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions				Date reported																																																																																																																																																																																																																								
CVE-2017-0420	A-32615212	High		All			4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Sep 12, 2016																																																																																																																																																																																																																								

Information disclosure vulnerability in AOSP Messaging																																																																																																																																																																																																																													
An information disclosure vulnerability in AOSP Messaging could enable a local malicious application to bypass operating system protections that isolate application data from other applications. 
This issue is rated as High because it could be used to gain access to data that the application does not have access to. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0413	A-32161610	High		All			6.0, 6.0.1, 7.0, 7.1.1	Oct 13, 2016																																																																																																																																																																																																																								
CVE-2017-0414	A-32807795	High		All			6.0, 6.0.1, 7.0, 7.1.1	Nov 10, 2016																																																																																																																																																																																																																								

Information disclosure vulnerability in Framework APIs																																																																																																																																																																																																																													
An information disclosure vulnerability in the Framework APIs could enable a local malicious application to bypass operating system protections that isolate application data from other applications. 
This issue is rated as High because it could be used to gain access to data that the application does not have access to. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0421	A-32555637	High	All	5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1		Google internal																																																																																																																																																																																																																								

Denial of service vulnerability in Bionic DNS																																																																																																																																																																																																																													
A denial of service vulnerability in Bionic DNS could enable a remote attacker to use a specially crafted network packet to cause a device hang or reboot. 
This issue is rated as High due to the possibility of remote denial of service. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0422	A-32322088	High	All	4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Oct 20, 2016																																																																																																																																																																																																																								

Elevation of privilege vulnerability in Bluetooth																																																																																																																																																																																																																													
An elevation of privilege vulnerability in Bluetooth could enable a proximate attacker to manage access to documents on the device. 
This issue is rated as Moderate because it first requires exploitation of a separate vulnerability in the Bluetooth stack. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0423	A-32612586	Moderate	All	5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Nov 2, 2016																																																																																																																																																																																																																								

Information disclosure vulnerability in AOSP Messaging																																																																																																																																																																																																																													
An information disclosure vulnerability in AOSP Messaging could enable a remote attacker using a special crafted file to access data outside of its permission levels. 
This issue is rated as Moderate because it is a general bypass for a user level defense in depth or exploit mitigation technology in a privileged process. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0424	A-32322450	Moderate	All	6.0, 6.0.1, 7.0, 7.1.1			Oct 20, 2016																																																																																																																																																																																																																								

Information disclosure vulnerability in Audioserver																																																																																																																																																																																																																													
An information disclosure vulnerability in Audioserver could enable a local malicious application to access data outside of its permission levels. 
This issue is rated as Moderate because it could be used to access sensitive data without permission. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions		Date reported																																																																																																																																																																																																																								
CVE-2017-0425	A-32720785	Moderate	All	4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1	Nov 7, 2016																																																																																																																																																																																																																								

Information disclosure vulnerability in Filesystem																																																																																																																																																																																																																													
An information disclosure vulnerability in the Filesystem could enable a local malicious application to access data outside of its permission levels. 
This issue is rated as Moderate because it could be used to access sensitive data without permission. 																																																																																																																																																																																																																													

CVE		References	Severity	Updated Google devices	Updated AOSP versions	Date reported																																																																																																																																																																																																																								
CVE-2017-0426	A-32799236 [2]	Moderate	All	7.0, 7.1.1				Google internal																																																																																																																																																																																																																								
2017-02-05 security patch level—Vulnerability details																																																																																																																																																																																																																													
																																																																																																																																																																																																																													
In the sections below, we provide details for each of the security vulnerabilities listed in the 2017-02-05 security patch level—Vulnerability summary above. 
There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Google devices, 
updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, 
like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.																																																																																																																																																																																																																													

Remote code execution vulnerability in Qualcomm crypto driver																																																																																																																																																																																																																													
A remote code execution vulnerability in the Qualcomm crypto driver could enable a remote attacker to execute arbitrary code within the context of the kernel. 
This issue is rated as Critical due to the possibility of remote code execution in the context of the kernel. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																																																																																																																																																																																																				
CVE-2016-8418					"A-32652894	Critical	None*			Oct 10, 2016
						QC-CR#1077457"																																																																																																																																																																																																																	

* Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in kernel file system																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices										Date reported																																																																																																																																																																																																												
CVE-2017-0427					A-31495866*	Critical	Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL	Sep 13, 2016																																																																																																																																																																																																								

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in NVIDIA GPU driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																																																																																																																																																																																				
CVE-2017-0428					"A-32401526*	Critical	Nexus 			9 Oct 25, 2016
						N-CVE-2017-0428"																																																																																																																																																																																																
CVE-2017-0429					"A-32636619*	Critical	Nexus 			9 Nov 3, 2016
						N-CVE-2017-0429"																																																																																																																																																																																												

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in kernel networking subsystem																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																																																																																																																																																																								
CVE-2014-9914					"A-32882659	Critical	Nexus 6, Nexus Player	Nov 9, 2016
						Upstream kernel"																																																																																																																																																																																				
Elevation of privilege vulnerability in Broadcom Wi-Fi driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices					Date reported																																																																																																																																																																																
CVE-2017-0430					"A-32838767*	Critical	Nexus 6, Nexus 6P, Nexus 9, Pixel C, Nexus Player	Google internal	
						B-RB#107459"																																																																																																																																																																												

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Vulnerabilities in Qualcomm components																																																																																																																																																																																																																													
The following vulnerability affects Qualcomm components and is described in further detail in Qualcomm AMSS September 2016 security bulletin. 																																																																																																																																																																																																																													

CVE						References	Severity*	Updated Google devices		Date reported																																																																																																																																																																								
CVE-2017-0431					A-32573899**	Critical	None***	Qualcomm 		internal																																																																																																																																																																				

* The severity rating for these vulnerabilities was determined by the vendor. 																																																																																																																																																																																																																													
** The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
*** Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in MediaTek driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as High because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																																																																																																																																																
CVE-2017-0432					"A-28332719*	High		None**			Apr 21, 2016
						M-ALPS02708925"																																																																																																																																																														

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
** Supported Google devices on Android 7.0 or later that have installed all available updates are not affected by this vulnerability. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in Synaptics touchscreen driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. 
This issue is rated as High because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices			Date reported																																																																																																																																																								
CVE-2017-0433					A-31913571*	High	Nexus 6P, Nexus 9, Android One, Pixel, Pixel XL	Sep 8, 2016																																																																																																																																																				
CVE-2017-0434					A-33001936*	High	Pixel, Pixel XL					Nov 18, 2016																																																																																																																																																

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in Qualcomm Secure Execution Environment Communicator driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Qualcomm Secure Execution Environment Communicator drive could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as High because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices						Date reported																																																																																																																																												
CVE-2016-8480					"A-31804432	High		Nexus 5X, Nexus 6, Nexus 6P, Android One, Pixel, Pixel XL	Sep 28, 2016	
						QC-CR#1086186 [2]"																																																																																																																																								

Elevation of privilege vulnerability in Qualcomm sound driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as High because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices		Date reported																																																																																																																																				
CVE-2016-8481					"A-31906415*	High	Nexus 5X, Nexus 6P, Pixel, Pixel XL	Oct 1, 2016
						QC-CR#1078000"																																																																																																																																
CVE-2017-0435					"A-31906657*	High	Nexus 5X, Nexus 6P, Pixel, Pixel XL	Oct 1, 2016
						QC-CR#1078000"																																																																																																																												
CVE-2017-0436					"A-32624661*	High	Nexus 5X, Nexus 6P, Pixel, Pixel XL	Nov 2, 2016
						QC-CR#1078000"																																																																																																																									

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as High because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																																																																																																				
CVE-2017-0437					"A-32402310	High	Nexus 5X, Pixel, Pixel XL	Oct 25, 2016
						QC-CR#1092497"																																																																																																																
CVE-2017-0438					"A-32402604	High	Nexus 5X, Pixel, Pixel XL	Oct 25, 2016
						QC-CR#1092497"																																																																																																												
CVE-2017-0439					"A-32450647	High	Nexus 5X, Pixel, Pixel XL	Oct 25, 2016
						QC-CR#1092059"																																																																																																								
CVE-2016-8419					"A-32454494	High	Nexus 5X, Pixel, Pixel XL	Oct 26, 2016
						QC-CR#1087209"																																																																																																				
CVE-2016-8420					"A-32451171	High	Nexus 5X, Pixel, Pixel XL	Oct 26, 2016
						QC-CR#1087807"																																																																																																
CVE-2016-8421					"A-32451104	High	Nexus 5X, Pixel, Pixel XL	Oct 26, 2016
						QC-CR#1087797"																																																																																												
CVE-2017-0440					"A-33252788	High	Nexus 5X, Pixel, Pixel XL	Nov 11, 2016
						QC-CR#1095770"																																																																																								
CVE-2017-0441					"A-32872662	High	Nexus 5X, Pixel, Pixel XL	Nov 11, 2016
						QC-CR#1095009"																																																																																				
CVE-2017-0442					"A-32871330	High	Nexus 5X, Pixel, Pixel XL	Nov 13, 2016
						QC-CR#1092497"																																																																																
CVE-2017-0443					"A-32877494	High	Nexus 5X, Pixel, Pixel XL	Nov 13, 2016
						QC-CR#1092497"																																																																												
CVE-2016-8476					"A-32879283	High	Nexus 5X, Pixel, Pixel XL	Nov 14, 2016
						QC-CR#1091940"																																																																								

Elevation of privilege vulnerability in Realtek sound driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Realtek sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as High because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE																																																																																																																																																						References	Severity	Updated Google devices	Date reported																																																																				
CVE-2017-0444																																																																																																																																																										A-32705232*	High	Nexus 9	Nov 7, 2016																																																																

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in HTC touchscreen driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as High because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																																												
CVE-2017-0445					"A-32769717*	High		Pixel, Pixel XL		Nov 9, 2016																																																								
CVE-2017-0446					A-32917445*	High		Pixel, Pixel XL		Nov 15, 2016																																																				
CVE-2017-0447					A-32919560*	High		Pixel, Pixel XL		Nov 15, 2016																																																

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Information disclosure vulnerability in NVIDIA video driver																																																																																																																																																																																																																													
An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels. 
This issue is rated as High because it could be used to access sensitive data without explicit user permission. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																												
CVE-2017-0448					"A-32721029*	High		Nexus 			9 Nov 7, 2016
						N-CVE-2017-0448"																																								

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in Broadcom Wi-Fi driver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. 
This issue is rated as Moderate because it first requires compromising a privileged process and is mitigated by current platform configurations. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																																				
CVE-2017-0449					"A-31707909*	Moderate	Nexus 6, Nexus 6P	Sep 23, 2016
						B-RB#32094"																																

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in Audioserver																																																																																																																																																																																																																													
An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. 
This issue is rated as Moderate because it is mitigated by current platform configurations. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices	Date reported																												
CVE-2017-0450					A-32917432*	Moderate	Nexus 			9 Nov 15, 2016																								

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Elevation of privilege vulnerability in kernel file system																																																																																																																																																																																																																													
An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to bypass protections that prevent an escalation of privileges. 
This issue is rated as Moderate because it is a general bypass for a user level defense in depth or exploit mitigation technology. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices										Date reported																				
CVE-2016-10044					A-31711619*	Moderate	Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Pixel C, Nexus Player, Pixel, Pixel XL 	Google internal																

* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the Google Developer site. 																																																																																																																																																																																																																													
Information disclosure vulnerability in Qualcomm Secure Execution Environment Communicator																																																																																																																																																																																																																													
An information disclosure vulnerability in the Qualcomm Secure Execution Environment Communicator could enable a local 
malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a 
privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices					Date reported												
CVE-2016-8414					"A-31704078	Moderate	Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL	Sep 23, 2016
						QC-CR#1076407"								

Information disclosure vulnerability in Qualcomm sound driver																																																																																																																																																																																																																													
An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its 
permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. 																																																																																																																																																																																																																													

CVE						References	Severity	Updated Google devices					Date reported				
CVE-2017-0451					"A-31796345	Moderate	Nexus 5X, Nexus 6P, Android One, Pixel, Pixel XL	Sep 27, 2016
						QC-CR#1073129 [2]"	

Common Questions and Answers																																																																																																																																																																																																																													

This section answers common questions that may occur after reading this 
bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, read the instructions 
on the Pixel and Nexus update schedule.

    Security patch levels of 2017-02-01 or later address all issues associated
with the 2017-02-01 security patch level. Security patch levels of 2017-02-05
or later address all issues associated with the 2017-02-05 security patch 
level and all previous patch levels.

Device manufacturers that include these updates should set the patch string 
level to:

    [ro.build.version.security_patch]:[2017-02-01] 
[ro.build.version.security_patch]:[2017-02-05]

2. Why does this bulletin have two security patch levels?

This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all 
Android devices more quickly. Android partners are encouraged to fix all 
issues in this bulletin and use the latest security patch level.

    Devices that use the January 1, 2017 security patch level must include all
issues associated with that security patch level, as well as fixes for all 
issues reported in previous security bulletins. Devices that use the security
patch level of January 5, 2017 or newer must include all applicable patches in
this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.

3. How do I determine which Google devices are affected by each issue?

In the 2017-02-01 and 2017-02-05 security vulnerability details sections, each
table has an Updated Google devices column that covers the range of affected 
Google devices updated for each issue. This column has a few options:

    All Google devices: If an issue affects All and Pixel devices, the table 
will have "All" in the Updated Google devices column. "All" encapsulates the 
following supported devices: Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), 
Nexus 9, Android One, Nexus Player, Pixel C, Pixel, and Pixel XL. Some Google
devices: If an issue doesn't affect all Google devices, the affected Google 
devices are listed in the Updated Google devices column. No Google devices: If
no Google devices running Android 7.0 are affected by the issue, the table 
will have "None" in the Updated Google devices column.

4. What do the entries in the references column map to?

Entries under the References column of the vulnerability details table may 
contain a prefix identifying the organization to which the reference value 
belongs. These prefixes map as follows: Prefix Reference 
A- Android bug ID 
QC- Qualcomm reference number 
M- MediaTek reference number 
N- NVIDIA reference number 
B- Broadcom reference number Revisions

February 06, 2017: Bulletin published. 
February 08, 2017: Bulletin revised to include AOSP links.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWKJ27ox+lLeg9Ub1AQjZKw//X5tjTaadI1ub9mrJMgtb1p4sZatOgwGY
dOpfzPR4sIAuJdvy1VNNsJD+yBmDapAc3BaPKvG8Me9BV+uV9ltCwSjWmWlxgV9y
6z4bB/LmvgQiQFZFE3/2XVeEwcyRKPoFipj69nidAfLf6XwJ6pSMTw61XigXoYCM
axqqllllAq3GxJ3ogM5wXYLDX2xveSld+GGKJ8IDZRLcxX1zt1nTL/FiwuqlMpdx
iDqrhSlMO5I2BcOgRSv0hKdc+TKtqODK4FQEANWXasR3YbPqsm1Zoln93wgUwSDw
3xNqx0xX20JUAm4yk3EhyQpcVMxmbfvgS2MTzdA9VDPk1/tLpVX8VVm9h0Rc0lq2
5oI9B+bx7f8xchEVXjVgaeIrY0k2wu/XIQsPSLKbqNLZ9R2g84TA0vWfkI7yPQRI
Oxb3/CYnQo0huIPd14DJ+zwQlH5NjxG+2y4y+TIHgU83C2pcqvNxJbqZj5cEDUL+
o2nlp81cWamEf61IV7v+s2V1O1jzwN0SQq6VMtdAEqOcyEoBFX10tcbgNR/AewUW
4ENzQE5GooAPD5vjuglZJYzzrsaBtC3b7e7WdFbe8pslfJQfYC5hS72UHU2HnCNh
CPShxGYAIf+yLxaFhXG41ohC/2poHER5bI3E4FfQnlggZwwCmiRVNOFlkKaoyJ5m
UpLHYrz39nA=
=PIQW
-----END PGP SIGNATURE-----