Operating System:

[Android]

Published:

07 January 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2020.0002
                 Android security update for January 2020
                              7 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Android
Operating System:     Android
Impact/Access:        Administrator Compromise        -- Existing Account   
                      Increased Privileges            -- Existing Account   
                      Execute Arbitrary Code/Commands -- Console/Physical   
                      Access Confidential Data        -- Existing Account   
                      Reduced Security                -- Unknown/Unspecified
Resolution:           Patch/Upgrade
CVE Names:            CVE-2020-0009 CVE-2020-0008 CVE-2020-0007
                      CVE-2020-0006 CVE-2020-0004 CVE-2020-0003
                      CVE-2020-0002 CVE-2020-0001 CVE-2019-17666
                      CVE-2019-15214 CVE-2019-14036 CVE-2019-14034
                      CVE-2019-14024 CVE-2019-14023 CVE-2019-14017
                      CVE-2019-14016 CVE-2019-14014 CVE-2019-14013
                      CVE-2019-14010 CVE-2019-14008 CVE-2019-14006
                      CVE-2019-14005 CVE-2019-14004 CVE-2019-14003
                      CVE-2019-14002 CVE-2019-10611 CVE-2019-10606
                      CVE-2019-10602 CVE-2019-10585 CVE-2019-10583
                      CVE-2019-10582 CVE-2019-10581 CVE-2019-10579
                      CVE-2019-10578 CVE-2019-10558 CVE-2019-10548
                      CVE-2019-10532 CVE-2019-2267 CVE-2018-20856
                      CVE-2018-11843  
Member content until: Thursday, February  6 2020
Reference:            ESB-2019.4676
                      ESB-2019.3846
                      ESB-2019.3084

OVERVIEW

        Android patch level 2020-01-05 has been released,
        including fixes for multiple critical vulnerabilities. [1]


IMPACT

        Google has provided the following information on the vulnerabilities
        fixed in this patch level:
        
        "Framework
        
        The most severe vulnerability in this section could enable a local malicious
        application to bypass user interaction requirements in order to gain access to
        additional permissions.
        
             CVE      References  Type Severity Updated AOSP versions
        CVE-2020-0001 A-140055304 EoP  Moderate 10
        			  EoP  High     8.0, 8.1, 9
        CVE-2020-0003 A-140195904 EoP  High     8.0
        CVE-2020-0004 A-120847476 DoS  High     8.0, 8.1, 9, 10
        
        Media framework
        
        The vulnerability in this section could enable a remote attacker using a
        specially crafted file to execute arbitrary code within the context of a
        privileged process.
        
             CVE      References  Type Severity Updated AOSP versions
        CVE-2020-0002 A-142602711 RCE  Moderate 10
        			  RCE  Critical 8.0, 8.1, 9
        
        System
        
        The most severe vulnerability in this section could lead to remote information
        disclosure with no additional execution privileges needed.
        
             CVE      References  Type Severity Updated AOSP versions
        CVE-2020-0006 A-139738828 ID   High     8.0, 8.1, 9, 10
        CVE-2020-0007 A-141890807 ID   High     8.0, 8.1, 9, 10
        CVE-2020-0008 A-142558228 ID   High     8.0, 8.1, 9, 10
        
        Google Play system updates
        
        The following issue is included in Project Mainline components.
        
         Component        CVE
        Media codecs CVE-2020-0002
        
        2020-01-05 security patch level vulnerability details
        
        In the sections below, we provide details for each of the security
        vulnerabilities that apply to the 2020-01-05 patch level. Vulnerabilities are
        grouped under the component they affect and include details such as the CVE,
        associated references, type of vulnerability , severity , component (where
        applicable), and updated AOSP versions (where applicable). When available, we
        link the public change that addressed the issue to the bug ID, such as the AOSP
        change list. When multiple changes relate to a single bug, additional
        references are linked to numbers following the bug ID.
        
        Kernel components
        
        The most severe vulnerability in this section could enable a proximate attacker
        using a specially crafted transmission to execute arbitrary code within the
        context of a privileged process.
        
             CVE         References    Type Severity       Component
        CVE-2019-17666 A-142967706     RCE  Critical Realtek rtlwifi driver
        	       Upstream kernel
        CVE-2018-20856 A-138921316     EoP  High     Kernel
        	       Upstream kernel
        CVE-2019-15214 A-140920734     EoP  High     Sound subsystem
        	       Upstream kernel
        CVE-2020-0009  A-142938932 *   EoP  High     ashmem
        
        Qualcomm components
        
        These vulnerabilities affect Qualcomm components and are described in further
        detail in the appropriate Qualcomm security bulletin or security alert. The
        severity assessment of these issues is provided directly by Qualcomm.
        
             CVE              References         Type Severity Component
        CVE-2018-11843 A-111126051               N/A  High     WLAN host
        	       QC-CR#2216751
        CVE-2019-10558 A-142268223               N/A  High     Kernel
        	       QC-CR#2355428
        CVE-2019-10581 A-142267478               N/A  High     Audio
        	       QC-CR#2451619
        CVE-2019-10585 A-142267685               N/A  High     Kernel
        	       QC-CR#2457975
        CVE-2019-10602 A-142270161               N/A  High     Display
        	       QC-CR#2165926 [ 2 ]
        CVE-2019-10606 A-142269492               N/A  High     Kernel
        	       QC-CR#2192810 [ 2 ]
        CVE-2019-14010 A-142269847               N/A  High     Audio
        	       QC-CR#2465851 [ 2 ]
        CVE-2019-14023 A-142270139               N/A  High     Kernel
        	       QC-CR#2493328
        CVE-2019-14024 A-142269993               N/A  High     NFC
        	       QC-CR#2494103
        CVE-2019-14034 A-142270258               N/A  High     Camera
        	       QC-CR#2491649 [ 2 ] [ 3 ]
        CVE-2019-14036 A-142269832               N/A  High     WLAN host
        	       QC-CR#2200862
        
        Qualcomm closed-source components
        
        These vulnerabilities affect Qualcomm closed-source components and are
        described in further detail in the appropriate Qualcomm security bulletin or
        security alert. The severity assessment of these issues is provided directly by
        Qualcomm.
        
             CVE        References   Type Severity        Component
        CVE-2019-2267  A-132108182 * N/A  High     Closed-source component
        CVE-2019-10548 A-137030896 * N/A  High     Closed-source component
        CVE-2019-10532 A-142271634 * N/A  High     Closed-source component
        CVE-2019-10578 A-142268949 * N/A  High     Closed-source component
        CVE-2019-10579 A-142271692 * N/A  High     Closed-source component
        CVE-2019-10582 A-130574302 * N/A  High     Closed-source component
        CVE-2019-10583 A-131180394 * N/A  High     Closed-source component
        CVE-2019-10611 A-142271615 * N/A  High     Closed-source component
        CVE-2019-14002 A-142271274 * N/A  High     Closed-source component
        CVE-2019-14003 A-142271498 * N/A  High     Closed-source component
        CVE-2019-14004 A-142271848 * N/A  High     Closed-source component
        CVE-2019-14005 A-142271965 * N/A  High     Closed-source component
        CVE-2019-14006 A-142271827 * N/A  High     Closed-source component
        CVE-2019-14008 A-142271609 * N/A  High     Closed-source component
        CVE-2019-14013 A-142271944 * N/A  High     Closed-source component
        CVE-2019-14014 A-142270349 * N/A  High     Closed-source component
        CVE-2019-14016 A-142270646 * N/A  High     Closed-source component
        CVE-2019-14017 A-142271515 * N/A  High     Closed-source component"
        [1]


MITIGATION

        Google advises updating Android devices to the 2020-01-05
        patch level or later to address these vulnerabilities.
        
        Please check with your device manufacturer for an estimation
        of when they'll release a version of the OS at this patch level. [1]


REFERENCES

        [1] Android Security Bulletin - January 2020
            https://source.android.com/security/bulletin/2020-01-01.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXhQcLmaOgq3Tt24GAQjSxRAAsHq+dlAKmnGLarZlYgJejtWccbEInt/+
KxD3m5m4GecxwLXMa3BuHnkAFZ0Qqo2mfHDAWMKcwaPm464MRd755HR4Fizc534E
VZBzua5Lu5JB3Lp4nCM/q3gRa5sQMchLSu7BEEzEK0vzxTGwyCDyip//cZ0Hr2R4
GOZFX/HS48dVOY1s57kv2KkMiD0OkIoKyTt8egGd8RiE7/YhdGw1Arc6pX028oFN
+RpnR8WOpVr+ULWQYgliBXeQf5/Z11kvQ9E6E4ooj662LfP/Ync3eFWMCTcWlTsI
pUPgS0mZrIleCsgTBQlf0O8TbZbJNQfK6Gej9xlacxUgoBS1DkSjVq9iMGzSivxW
2fXPz55YlDxcBfywG9/iks/n/hnFao+4q64GF53d4xbIc/MeGbhyG9JMtrx+QCoE
oQ9wVKgOdEK6ZBMB2g9LhRlGKm0l3fupAf3INRLIUyI9FK74Yi4m/9EFYmUb+GYD
y8b5uW5jk1homVWi+c3278SJfOjmangyxkeVQ66Uok/493zLzXxEXJWEryAg6FPn
RGjwjGgc8ROdPfWh2/uaSjyu0OX2KS/SL1OC4vWYaj5Fi3SbVBCOtzm5weuPAytD
Hs2fOAJhj1nHVsQG0iN2ykWRmCHx/NLKfIOUrqS7wDKQLtMqCzgjuZ8yPyhdk+af
6XT1eIdmA/c=
=Qhkb
-----END PGP SIGNATURE-----