Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0311
Multiple vulnerabilities have been identified in the Android
Operatin System
5 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Android
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Access Privileged Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11833 CVE-2019-10571 CVE-2019-10559
CVE-2019-10545 CVE-2019-10511 CVE-2019-10493
CVE-2019-10485 CVE-2019-10484 CVE-2019-2338
CVE-2019-2337 CVE-2019-2321 CVE-2019-2320
CVE-2019-2319 CVE-2019-2310 CVE-2019-2288
CVE-2019-2233 CVE-2019-2215 CVE-2019-2214
CVE-2019-2213 CVE-2019-2212 CVE-2019-2211
CVE-2019-2209 CVE-2019-2208 CVE-2019-2207
CVE-2019-2206 CVE-2019-2205 CVE-2019-2204
CVE-2019-2203 CVE-2019-2202 CVE-2019-2201
CVE-2019-2199 CVE-2019-2198 CVE-2019-2197
CVE-2019-2196 CVE-2019-2195 CVE-2019-2193
CVE-2019-2192 CVE-2019-2036
Member content until: Thursday, December 5 2019
Reference: ESB-2019.3590
ESB-2019.3335
ESB-2019.3313
ESB-2019.3109
ESB-2019.2974
ESB-2019.2968
ESB-2019.2804
OVERVIEW
Multiple vulnerabilities have been identified in Android prior to
patch level 2019-11-05. [1]
IMPACT
Android has provided the following information about these vulnerabilities:
"The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of 2019-11-05 or later address
all of these issues. To learn how to check a device's security patch level, see
Check and update your Android version.
Android partners are notified of all issues at least a month before
publication. Source code patches for these issues will be released to the
Android Open Source Project (AOSP) repository in the next 48 hours. We will
revise this bulletin with the AOSP links when they are available.
The most severe of these issues is a critical security vulnerability in the
System component that could enable a remote attacker using a specially crafted
file to execute arbitrary code within the context of a privileged process. The
severity assessment is based on the effect that exploiting the vulnerability
would possibly have on an affected device, assuming the platform and service
mitigations are turned off for development purposes or if successfully
bypassed.
Refer to the Android and Google Play Protect mitigations section for details on
the Android security platform protections and Google Play Protect, which
improve the security of the Android platform.
Note: Information on the latest over-the-air update (OTA) and firmware images
for Google devices is available in the November 2019 Pixel Update Bulletin.
Android and Google service mitigations
This is a summary of the mitigations provided by the Android security platform
and service protections such as Google Play Protect. These capabilities reduce
the likelihood that security vulnerabilities could be successfully exploited on
Android.
o Exploitation for many issues on Android is made more difficult by
enhancements in newer versions of the Android platform. We encourage all
users to update to the latest version of Android where possible.
o The Android security team actively monitors for abuse through Google Play
Protect and warns users about Potentially Harmful Applications. Google Play
Protect is enabled by default on devices with Google Mobile Services, and
is especially important for users who install apps from outside of Google
Play.
2019-11-01 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2019-11-01 patch level. Vulnerabilities are
grouped under the component that they affect. Issues are described in the
tables below and include CVE ID, associated references, type of vulnerability,
severity, and updated AOSP versions (where applicable). When available, we link
the public change that addressed the issue to the bug ID, like the AOSP change
list. When multiple changes relate to a single bug, additional references are
linked to numbers following the bug ID. Devices with Android 10 and later may
receive security updates as well as Google Play system updates.
Framework
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2019-2192 A-138441555 EoP High 9, 10
CVE-2019-2193 A-132261064 EoP High 8.0, 8.1, 9, 10
CVE-2019-2195 A-139186193 EoP High 8.0, 8.1, 9, 10
CVE-2019-2199 A-138650665 EoP High 10
CVE-2019-2211 A-135269669 ID High 8.0, 8.1, 9, 10
CVE-2019-2197 A-138529441 ID High 8.0, 8.1, 9, 10
Library
The vulnerability in this section could enable a remote attacker using a
specially crafted file to execute arbitrary code within the context of an
unprivileged process.
CVE References Type Severity Updated AOSP versions
CVE-2019-2201 A-120551338 RCE High 8.0, 8.1, 9, 10
Media framework
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2019-2202 A-137283376 EoP High 9, 10
CVE-2019-2203 A-137370777 EoP High 8.0, 8.1, 9, 10
System
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2019-2204 A-138442295 RCE Critical 9
CVE-2019-2205 A-139806216 RCE Critical 8.0, 8.1, 9, 10
CVE-2019-2206 A-139188579 RCE Critical 8.0, 8.1, 9, 10
CVE-2019-2233 A-140486529 EoP High 10
CVE-2019-2207 A-124524315 EoP High 8.0, 8.1, 9, 10
CVE-2019-2212 A-139690488 ID High 8.0, 8.1, 9, 10
CVE-2019-2208 A-138441919 ID High 9
CVE-2019-2209 A-139287605 ID High 8.0, 8.1, 9, 10
Google Play system updates
There are no security issues addressed in Google Play system updates this
month.
2019-11-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2019-11-05 patch level. Vulnerabilities are
grouped under the component they affect and include details such as the CVE,
associated references, type of vulnerability, severity, component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
Framework
The most severe vulnerability in this section could enable a local malicious
application to bypass operating system protections that isolate application
data from other applications.
CVE References Type Severity Updated AOSP versions
CVE-2019-2196 A-135269143 ID High 8.0, 8.1, 9, 10
CVE-2019-2198 A-135270103 ID High 8.0, 8.1, 9, 10
System
The vulnerability in this section could enable a remote attacker using a
specially crafted transmission to gain access to additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2019-2036 A-79703832 EoP High 8.0, 8.1, 9, 10
Kernel components
The most severe vulnerability in this section could enable a local attacker to
execute arbitrary code within the context of a privileged process.
CVE References Type Severity Component
CVE-2019-2213 A-133758011 EoP High binder driver
Upstream kernel
CVE-2019-2214 A-136210786 EoP High binder driver
Upstream kernel
CVE-2019-2215 A-141720095 EoP High binder driver
Upstream kernel
CVE-2019-11833 A-133041647 ID Moderate ext4 filesystem
Upstream kernel
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2019-2310 A-78906648 N/A High Wi-Fi
QC-CR#2253243
CVE-2019-10545 A-138940225 N/A High Graphics driver
QC-CR#2353418
CVE-2019-10571 A-138940226 N/A High Graphics driver
QC-CR#2363085
Qualcomm closed-source components
These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.
CVE References Type Severity Component
CVE-2019-10493 A-132108736* N/A Critical Closed-source component
CVE-2019-10511 A-132097484* N/A Critical Closed-source component
CVE-2019-2288 A-132108853* N/A Critical Closed-source component
CVE-2019-2320 A-132108539* N/A Critical Closed-source component
CVE-2019-2321 A-132108927* N/A Critical Closed-source component
CVE-2019-10484 A-132108752* N/A High Closed-source component
CVE-2019-10485 A-132108463* N/A High Closed-source component
CVE-2019-2319 A-132107963* N/A High Closed-source component
CVE-2019-2337 A-132108895* N/A High Closed-source component
CVE-2019-2338 A-132108464* N/A High Closed-source component
CVE-2019-10559 A-137030660* N/A High Closed-source component
Common questions and answers
This section answers common questions that may occur after reading this
bulletin.
1. How do I determine if my device is updated to address these issues-
To learn how to check a device's security patch level, see Check and update
your Android version.
o Security patch levels of 2019-11-01 or later address all issues associated
with the 2019-11-01 security patch level.
o Security patch levels of 2019-11-05 or later address all issues associated
with the 2019-11-05 security patch level and all previous patch levels.
Device manufacturers that include these updates should set the patch string
level to:
o [ro.build.version.security_patch]:[2019-11-01]
o [ro.build.version.security_patch]:[2019-11-05]
For some devices on Android 10 or later, the Google Play system update will
have a date string that matches the 2019-11-01 security patch level. Please see
this article for more details on how to install security updates.
2. Why does this bulletin have two security patch levels-
This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.
o Devices that use the 2019-11-01 security patch level must include all
issues associated with that security patch level, as well as fixes for all
issues reported in previous security bulletins.
o Devices that use the security patch level of 2019-11-05 or newer must
include all applicable patches in this (and previous) security bulletins.
Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.
3. What do the entries in the Type column mean-
Entries in the Type column of the vulnerability details table reference the
classification of the security vulnerability.
Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available
4. What do the entries in the References column mean-
Entries under the References column of the vulnerability details table may
contain a prefix identifying the organization to which the reference value
belongs.
Prefix Reference
A- Android bug ID
QC- Qualcomm reference number
M- MediaTek reference number
N- NVIDIA reference number
B- Broadcom reference number
5. What does an * next to the Android bug ID in the References column mean-
Issues that are not publicly available have an * next to the Android bug ID in
the References column. The update for that issue is generally contained in the
latest binary drivers for Pixel devices available from the Google Developer
site.
6. Why are security vulnerabilities split between this bulletin and device /
partner security bulletins, such as the Pixel bulletin-
Security vulnerabilities that are documented in this security bulletin are
required to declare the latest security patch level on Android devices.
Additional security vulnerabilities that are documented in the device / partner
security bulletins are not required for declaring a security patch level.
Android device and chipset manufacturers may also publish security
vulnerability details specific to their products, such as Google, Huawei, LGE,
Motorola, Nokia, or Samsung.
Versions
Version Date Notes
1.0 November 04, 2019 Bulletin published" [1]
MITIGATION
Android users are advised to update to the latest release available
to address these vulnerabilities. [1]
REFERENCES
[1] Android Security Bulletin - November 2019
https://source.android.com/security/bulletin/2019-11-01.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXcDrJ2aOgq3Tt24GAQjMPQ//d4qB47dSUQO2rrMNZ0mLMapFCadBXgCM
+udCRJ9jrb1Nw2I6LP/FZPE8gJrlPPCDATOU/96bsordIfFYTYA7IzkMRLV/xXFC
51ZMdJM9a3i6Y3WWONG98rkybcSYzOc3e4frfe4eDgBFWxI86zvJZHMPyL8j/cTh
zbnJqoNkuWFrJpa00FfyaQrLJG3G7zwAfccXkkcRLuOuVNA1DnwOYgj+JPjvtS4N
UqJRwXNW9W8ShNcT+kI1ZgBgrZjXhKFcNojjKAci2ttCgEfdVrNHzSSPWRJ/mC5R
JnVui/UlHZh57DWTxPfI0N57EZUYZyv4xFZ6ytBGOXnYMuyevewLBwnOaHWDMesg
HgFj+efs9i/BGfr6CaRZGTdPjSNAaUEs1pz5IU3fyO5iK/riwptI1EgjHhN0KGhl
cE4WcCHmDBMk7ygiBdsfoeGiE8PR5uL3+C+QPHt1jpdz5E54HV7UkjXKwvIt6Srp
/J9CI1Fa9nu4TpPLT0TZQkyW5uG1awi7FuBN3LaeMgQGUxGq7wiCmXkjB90w7Rz4
YjVHisDkGmhDOqRSxeIKXq1SSV9OSKgnt0Q0WGbw+5CZHf3Ol6UUJnLTDjnJ68fa
bOfYu3nuia/P/qtB453g5mv/aBjOFY0XV9BnWMcQrYpXEbA/YKnC8J2yPVC2jWlp
WClf0Rn4Vx0=
=3QcM
-----END PGP SIGNATURE-----