Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2020.0051 Android Security Bulletin - March 2020 5 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Android Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-0069 CVE-2020-0044 CVE-2020-0043 CVE-2020-0042 CVE-2020-0041 CVE-2020-0040 CVE-2020-0039 CVE-2020-0038 CVE-2020-0037 CVE-2020-0036 CVE-2020-0035 CVE-2020-0034 CVE-2020-0033 CVE-2020-0032 CVE-2020-0031 CVE-2020-0029 CVE-2020-0012 CVE-2020-0011 CVE-2020-0010 CVE-2019-19537 CVE-2019-19527 CVE-2019-14098 CVE-2019-14097 CVE-2019-14095 CVE-2019-14086 CVE-2019-14085 CVE-2019-14083 CVE-2019-14082 CVE-2019-14081 CVE-2019-14079 CVE-2019-14072 CVE-2019-14071 CVE-2019-14068 CVE-2019-14061 CVE-2019-14050 CVE-2019-14048 CVE-2019-14045 CVE-2019-14032 CVE-2019-14031 CVE-2019-14030 CVE-2019-14029 CVE-2019-14028 CVE-2019-14027 CVE-2019-14026 CVE-2019-14015 CVE-2019-14000 CVE-2019-10616 CVE-2019-10612 CVE-2019-10604 CVE-2019-10603 CVE-2019-10594 CVE-2019-10593 CVE-2019-10591 CVE-2019-10587 CVE-2019-10586 CVE-2019-10577 CVE-2019-10569 CVE-2019-10554 CVE-2019-10553 CVE-2019-10552 CVE-2019-10550 CVE-2019-10549 CVE-2019-10546 CVE-2019-10526 CVE-2019-2317 CVE-2019-2311 CVE-2019-2300 CVE-2019-2194 CVE-2018-11970 CVE-2018-11838 Member content until: Friday, April 3 2020 Reference: https://source.android.com/security/bulletin/2020-03-01 OVERVIEW Android patch level 2020-03-05 has been released, including fixes for multiple critical vulnerabilities. Google state that "The most severe of these issues is a critical security vulnerability in themedia framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed."[1] IMPACT Google has provided the following information on the vulnerabilities fixed in this patch level: "2020-03-01 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-03-01 patch level. Vulnerabilities are grouped under the component that they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability , severity , and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates . Framework The vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate application data from other applications. CVE References Type Severity Updated AOSP versions CVE-2020-0031 A-141703197 ID High 10 Media framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2020-0032 A-145364230 RCE Critical 8.0, 8.1, 9, 10 CVE-2020-0033 A-144351324 EoP High 8.0, 8.1, 9, 10 CVE-2020-0034 A-62458770 ID High 8.0, 8.1 System The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Updated AOSP versions CVE-2020-0036 A-144679405 EoP High 8.0, 8.1, 9, 10 CVE-2019-2194 A-137284057 EoP High 9 CVE-2020-0035 A-140622024 ID High 8.0, 8.1, 9 CVE-2020-0029 A-140065828 ID High 10 CVE-2020-0037 A-143106535 ID High 8.0, 8.1, 9, 10 CVE-2020-0038 A-143109193 ID High 8.0, 8.1, 9, 10 CVE-2020-0039 A-143155861 ID High 8.0, 8.1, 9, 10 Google Play system updates The following issue is included in Project Mainline components. Component CVE Media codecs CVE-2020-0032 2020-03-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-03-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability , severity , component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. System The vulnerability in the following sections could enable a local attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2019-2194 A-137284057 EoP High 9 Kernel components The most severe vulnerability in this section could enable a local attacker using a specially crafted USB device to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2019-19527 A-146257915 EoP High USB Upstream kernel [ 2 ] CVE-2019-19537 A-146258055 EoP High USB Upstream kernel CVE-2020-0040 A-143009752 EoP High Networking Upstream kernel CVE-2020-0041 A-145988638 EoP High Binder Upstream kernel FPC components The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Component CVE-2020-0010 A-137014293 * EoP High FPC Fingerprint TEE CVE-2020-0011 A-137648045 * EoP High FPC Fingerprint TEE CVE-2020-0012 A-137648844 * EoP High FPC Fingerprint TEE CVE-2020-0042 A-137649599 * ID Moderate FPC Fingerprint TEE CVE-2020-0043 A-137650218 * ID Moderate FPC Fingerprint TEE CVE-2020-0044 A-137650219 * ID Moderate FPC Fingerprint TEE MediaTek components CVE References Type Severity Component CVE-2020-0069 A-147882143 * EoP High Mediatek Command Queue driver M-ALPS04356754 Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-14079 A-138848422 N/A High USB QC-CR#2521001 CVE-2018-11838 A-145545090 N/A High WLAN QC-CR#221457 [ 2 ] A-145544085 CVE-2019-10526 QC-CR#2232526 N/A High WLAN QC-CR#2541970 CVE-2019-10569 A-145545820 N/A High Audio QC-CR#2315791 CVE-2019-14029 A-145546793 N/A High Graphics QC-CR#2528795 CVE-2019-14032 A-145546652 N/A High Audio QC-CR#2537311 CVE-2019-14068 A-145546435 N/A High Audio QC-CR#2507653 [ 2 ] CVE-2019-14072 A-145545251 N/A High Graphics QC-CR#2509391 Qualcomm closed-source components These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2019-2317 A-134436812 * N/A Critical Closed-source component CVE-2019-10586 A-140423909 * N/A Critical Closed-source component CVE-2019-10587 A-140423816 * N/A Critical Closed-source component CVE-2019-10593 A-140424165 * N/A Critical Closed-source component CVE-2019-10594 A-140424564 * N/A Critical Closed-source component CVE-2019-10612 A-140423161 * N/A Critical Closed-source component CVE-2019-14031 A-142271912 * N/A Critical Closed-source component CVE-2019-14045 A-140973418 * N/A Critical Closed-source component CVE-2019-14071 A-145545489 * N/A Critical Closed-source component CVE-2019-14083 A-140973259 * N/A Critical Closed-source component CVE-2019-14086 A-140973417 * N/A Critical Closed-source component CVE-2019-14030 A-145546515 * N/A Critical Closed-source component CVE-2019-14097 A-145546003 * N/A Critical Closed-source component CVE-2019-14098 A-145546314 * N/A Critical Closed-source component CVE-2019-10546 A-145545250 * N/A Critical Closed-source component CVE-2019-14095 A-142843397 * N/A Critical Closed-source component CVE-2018-11970 A-114042111 * N/A High Closed-source component CVE-2019-10603 A-140424074 * N/A High Closed-source component CVE-2019-10616 A-140423338 * N/A High Closed-source component CVE-2019-10549 A-140423162 * N/A High Closed-source component CVE-2019-10550 A-140423702 * N/A High Closed-source component CVE-2019-10552 A-140423817 * N/A High Closed-source component CVE-2019-10553 A-140423081 * N/A High Closed-source component CVE-2019-10554 A-140424012 * N/A High Closed-source component CVE-2019-10577 A-140424166 * N/A High Closed-source component CVE-2019-14026 A-142271986 * N/A High Closed-source component CVE-2019-14027 A-142271756 * N/A High Closed-source component CVE-2019-14028 A-142271831 * N/A High Closed-source component CVE-2019-2300 A-142271659 * N/A High Closed-source component CVE-2019-2311 A-142271967 * N/A High Closed-source component CVE-2019-14050 A-143902706 * N/A High Closed-source component CVE-2019-14081 A-143902882 * N/A High Closed-source component CVE-2019-14082 A-140974589 * N/A High Closed-source component CVE-2019-14085 A-143902807 * N/A High Closed-source component CVE-2019-14048 A-145545282 * N/A High Closed-source component CVE-2019-14061 A-145545758 * N/A High Closed-source component CVE-2019-10604 A-145545725 * N/A High Closed-source component CVE-2019-10591 A-145545283 * N/A High Closed-source component CVE-2019-14000 A-145546434 * N/A High Closed-source component CVE-2019-14015 A-145545650 * N/A High Closed-source component" [1] MITIGATION Google advises that the "Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2020-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version." [1] REFERENCES [1] Android Security Bulletin - March 2020 https://source.android.com/security/bulletin/2020-03-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXmBbmWaOgq3Tt24GAQhbPRAAqa5ObJHwpMnh1NITe5JXJIgbk1yStt57 COAN/uXq/wEkx9KfeNrHEIILVP7RYFlFfCAapNdbTjRWewgz61Km/RiB7snnQ7Tw VhLa8cQG4fqFLvCU7KmgBxq6/ncIJj79unETro89iIAFmLgBsqtIN7wHPGDvhRtU Hqb2v57raYtKIFOgmpYfCUYFNmOHVoKAJXZcpxrQr5nBP/Paxo9ater00r02cCQl 9B6itd5VtnQLIPkYdDDOqej1WSzFTnroIMb/9lZ6EguMwxvVmSWSKLmK4H+xjHRQ TkJajt515H7WGl8QnAk74L+0CiCkUTAvHUA+ksKpejVhbYi3iBxqpncsy4fmoNfM Ioa5dnvromwChmWGbQJ/QFXbYPMnD92/4oqCDM7mBOhsoCAtpnU3bO2J/j+nRmpu KAqK6v6xV03gXemdDXWdPRbX6v92nlS53XS/2SjIoOJl90Ryk3ZdyqMoO4PTd3Uf 3Kzm7qUIyzvUfbpnz3ZiWvddu8YwWxb8Pqf01ydnKfbSTtYUjMznG4YVqD6QrQky uKHwRSlAKLGz3+5oykQRb/BGDZDOYSFsrkXHVHgDczhUg3llwqMGGmBkcFgRjTNw jU7taYRu3jUETgXWRiZC9zVNfXfI1Lgl3e7ldy13lUCv9LONxoo4R5WQsdM1Q3uQ ehPR2O7klWA= =Rngq -----END PGP SIGNATURE-----