-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1148
                  Android Security Bulletin - April 2021
                               6 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Android OS
Publisher:         Android
Operating System:  Android
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Existing Account            
                   Unauthorised Access             -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-0471 CVE-2021-0468 CVE-2021-0446
                   CVE-2021-0445 CVE-2021-0444 CVE-2021-0443
                   CVE-2021-0442 CVE-2021-0439 CVE-2021-0438
                   CVE-2021-0437 CVE-2021-0436 CVE-2021-0435
                   CVE-2021-0433 CVE-2021-0432 CVE-2021-0431
                   CVE-2021-0430 CVE-2021-0429 CVE-2021-0428
                   CVE-2021-0427 CVE-2021-0426 CVE-2021-0400
                   CVE-2020-25705 CVE-2020-15436 CVE-2020-11255
                   CVE-2020-11252 CVE-2020-11251 CVE-2020-11247
                   CVE-2020-11246 CVE-2020-11245 CVE-2020-11243
                   CVE-2020-11242 CVE-2020-11237 CVE-2020-11236
                   CVE-2020-11234 CVE-2020-11210 CVE-2020-11191

Reference:         ESB-2021.0791

Original Bulletin: 
   https://source.android.com/security/bulletin/2021-04-01

- --------------------------BEGIN INCLUDED TEXT--------------------

Android Security Bulletin-April 2021

Published April 5, 2021

The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of 2021-04-05 or later address
all of these issues. To learn how to check a device's security patch level, see
Check and update your Android version .

Android partners are notified of all issues at least a month before
publication. Source code patches for these issues will be released to the
Android Open Source Project (AOSP) repository in the next 48 hours. We will
revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the
System component that could enable a remote attacker using a specially crafted
file to execute arbitrary code within the context of a privileged process. The
severity assessment is based on the effect that exploiting the vulnerability
would possibly have on an affected device, assuming the platform and service
mitigations are turned off for development purposes or if successfully
bypassed.

Refer to the Android and Google Play Protect mitigations section for details on
the Android security platform protections and Google Play Protect, which
improve the security of the Android platform.

Note : Information on the latest over-the-air update (OTA) and firmware images
for Google devices is available in the April 2021 Pixel Update Bulletin .

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform 
and service protections such as Google Play Protect . These capabilities reduce
the likelihood that security vulnerabilities could be successfully exploited on
Android.

  o Exploitation for many issues on Android is made more difficult by
    enhancements in newer versions of the Android platform. We encourage all
    users to update to the latest version of Android where possible.
  o The Android security team actively monitors for abuse through Google Play
    Protect and warns users about Potentially Harmful Applications . Google
    Play Protect is enabled by default on devices with Google Mobile Services ,
    and is especially important for users who install apps from outside of
    Google Play.

2021-04-01 security patch level vulnerability details

In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2021-04-01 patch level. Vulnerabilities are
grouped under the component they affect. Issues are described in the tables
below and include CVE ID, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID. Devices with Android 10
and later may receive security updates as well as Google Play system updates .

Framework

The most severe vulnerability in this section could allow a malicious user to
spoof location data using a mocked location during a call to emergency
services.

     CVE      References  Type Severity Updated AOSP versions
CVE-2021-0400 A-177561690 EoP  High     9, 10, 11
CVE-2021-0426 A-174485572 EoP  High     11
CVE-2021-0427 A-174488848 EoP  High     11
CVE-2021-0432 A-173552790 EoP  High     11
CVE-2021-0438 A-152064592 EoP  High     8.1, 9, 10
CVE-2021-0439 A-174243830 EoP  High     11
CVE-2021-0442 A-174768985 EoP  High     11
CVE-2021-0443 A-170474245 ID   High     8.1, 9, 10, 11
CVE-2021-0444 A-178825358 ID   High     8.1, 9, 10, 11

Media Framework

The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.

     CVE      References  Type Severity Updated AOSP versions
CVE-2021-0437 A-176168330 EoP  High     8.1, 9, 10, 11
CVE-2021-0436 A-176496160 ID   High     8.1, 9, 10, 11
CVE-2021-0471 A-176444786 ID   High     8.1, 9, 10, 11

System

The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.

     CVE      References  Type Severity Updated AOSP versions
CVE-2021-0430 A-178725766 RCE  Critical 10, 11
CVE-2021-0429 A-175074139 EoP  High     8.1, 9, 10, 11
CVE-2021-0433 A-171221090 EoP  High     8.1, 9, 10, 11
CVE-2021-0446 A-172252122 EoP  High     11
CVE-2021-0431 A-174149901 ID   High     8.1, 9, 10, 11
CVE-2021-0435 A-174150451 ID   High     8.1, 9, 10, 11

Google Play system updates

The following issues are included in Project Mainline components.

Component                     CVE
Statsd    CVE-2021-0426, CVE-2021-0427, CVE-2021-0432

2021-04-05 security patch level vulnerability details

In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2021-04-05 patch level. Vulnerabilities are
grouped under the component they affect. Issues are described in the tables
below and include CVE ID, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.

System

The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.

     CVE      References  Type Severity Updated AOSP versions
CVE-2021-0445 A-172322502 EoP  High     9, 11
CVE-2021-0428 A-173421434 ID   High     10

Kernel components

The most severe vulnerability in this section could enable a local attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.

     CVE         References    Type Severity           Component
CVE-2020-15436 A-174737742     EoP  High     Kernel Block Device Subsystem
               Upstream kernel
CVE-2020-25705 A-174737972     ID   High     ICMP
               Upstream kernel

MediaTek components

This vulnerability affects MediaTek components and further details are
available directly from MediaTek. The severity assessment of this issue is
provided directly by MediaTek.

     CVE         References     Severity Component
CVE-2021-0468 A-180427272       High     LK
              M-ALPS05518125 *

Qualcomm components

This vulnerability affects Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of this issue is provided directly by Qualcomm.

     CVE           References       Severity Component
CVE-2020-11234 A-170139095          High     Kernel
               QC-CR#2439497 [ 2 ]

Qualcomm closed-source components

These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.

     CVE        References    Severity        Component
CVE-2020-11210 A-170138788 *  Critical Closed-source component
CVE-2020-11191 A-170138864 *  High     Closed-source component
CVE-2020-11236 A-170138748 *  High     Closed-source component
CVE-2020-11237 A-170138790 *  High     Closed-source component
CVE-2020-11242 A-170138747 *  High     Closed-source component
CVE-2020-11243 A-170139096 *  High     Closed-source component
CVE-2020-11245 A-170138750 *  High     Closed-source component
CVE-2020-11246 A-159482433 *  High     Closed-source component
CVE-2020-11247 A-170138749 *  High     Closed-source component
CVE-2020-11251 A-170137904 *  High     Closed-source component
CVE-2020-11252 A-170138791 *  High     Closed-source component
CVE-2020-11255 A-170138865 *  High     Closed-source component

Common questions and answers

This section answers common questions that may occur after reading this
bulletin.

1. How do I determine if my device is updated to address these issues

To learn how to check a device's security patch level, see Check and update
your Android version .

  o Security patch levels of 2021-04-01 or later address all issues associated
    with the 2021-04-01 security patch level.
  o Security patch levels of 2021-04-05 or later address all issues associated
    with the 2021-04-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string
level to:

  o [ro.build.version.security_patch]:[2021-04-01]
  o [ro.build.version.security_patch]:[2021-04-05]

For some devices on Android 10 or later, the Google Play system update will
have a date string that matches the 2021-04-01 security patch level. Please see
this article for more details on how to install security updates.

2. Why does this bulletin have two security patch levels

This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.

  o Devices that use the 2021-04-01 security patch level must include all
    issues associated with that security patch level, as well as fixes for all
    issues reported in previous security bulletins.
  o Devices that use the security patch level of 2021-04-05 or newer must
    include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.

3. What do the entries in the Type column mean

Entries in the Type column of the vulnerability details table reference the
classification of the security vulnerability.

Abbreviation          Definition
RCE          Remote code execution
EoP          Elevation of privilege
ID           Information disclosure
DoS          Denial of service
N/A          Classification not available

4. What do the entries in the References column mean

Entries under the References column of the vulnerability details table may
contain a prefix identifying the organization to which the reference value
belongs.

Prefix         Reference
A-     Android bug ID
QC-    Qualcomm reference number
M-     MediaTek reference number
N-     NVIDIA reference number
B-     Broadcom reference number

5. What does an * next to the Android bug ID in the References column mean

Issues that are not publicly available have an * next to the corresponding
reference ID. The update for that issue is generally contained in the latest
binary drivers for Pixel devices available from the Google Developer site .

6. Why are security vulnerabilities split between this bulletin and device /
partner security bulletins, such as the Pixel bulletin

Security vulnerabilities that are documented in this security bulletin are
required to declare the latest security patch level on Android devices.
Additional security vulnerabilities that are documented in the device / partner
security bulletins are not required for declaring a security patch level.
Android device and chipset manufacturers may also publish security
vulnerability details specific to their products, such as Google , Huawei , LGE
, Motorola , Nokia , or Samsung .

Versions

Version     Date             Notes
1.0     April 5, 2021 Bulletin published.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYGvjjeNLKJtyKPYoAQiUuQ//V+7qECMjwDyqBUj+Rz1N6tJZfZv5+QLx
mM40zI7d1Y5rkYip9ESjFxb4RwZwtnudGP9NUmXaOzPHMCqq2kFkePRxf7gyOyCa
58mzl6dLOtn+/sPqR5BKrkS+GnNmYGbuvttwAS3tWL0S01uLyaXu/TEY+9oDx5v8
JwViNn86G0oK3uWny0fBMxhGGtaE9kNzMa3KI4Xrz16X5stFubDQ4gqzNh7shP1s
7kxtePVXy4zTGXILLcIo6ygWD2eEWsZ4WPFNvqhsWiQrHwWOwDtVV3ASIfXoMpn0
4W7/zFIXOUlMJJ5ro0q/hxsqTzDwCBpzNwM8WpoMiWbJAnKTverBpinjpYVN+PD2
Chc988JRjSFhqRqReheYkl1qmFMD7fhPpOljOVO79QXib4rmBTGhnY832qaDVo4Z
nWcPQLg10cO2Xheo+o36dicuM6IbOBJlkpwUwjkDaibeiMMo9OlYGnJOGUtYe0qv
uYsk95/YW1qeC/WgJlIn0mAau/cvRlX0qnJ6MangKHTryRzIsH6/j2rt2ttOsIDU
JpUsVKrqoktF/AEEEFmCRhS7Tl38DkR53HcelDCJayBq2f3Rtry5jEE9o3nmpqR+
OVEXpx8w3Rzat90ln9ruQOX05a1WMG/gydVlNoroVAu8IM7x2cCgTqIgkXGdTXBE
YhM97bqOmhs=
=XW1s
-----END PGP SIGNATURE-----