-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6363
                 Android Security Bulletin - December 2022
                              7 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Android OS
Publisher:         Google
Operating System:  Android
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-42772 CVE-2022-42771 CVE-2022-42770
                   CVE-2022-42756 CVE-2022-42755 CVE-2022-42754
                   CVE-2022-39134 CVE-2022-39133 CVE-2022-39132
                   CVE-2022-39131 CVE-2022-39130 CVE-2022-39129
                   CVE-2022-39106 CVE-2022-33268 CVE-2022-33238
                   CVE-2022-33235 CVE-2022-32620 CVE-2022-32619
                   CVE-2022-32598 CVE-2022-32597 CVE-2022-32596
                   CVE-2022-32594 CVE-2022-25702 CVE-2022-25698
                   CVE-2022-25697 CVE-2022-25695 CVE-2022-25692
                   CVE-2022-25691 CVE-2022-25689 CVE-2022-25685
                   CVE-2022-25682 CVE-2022-25681 CVE-2022-25673
                   CVE-2022-25672 CVE-2022-23960 CVE-2022-20611
                   CVE-2022-20502 CVE-2022-20501 CVE-2022-20500
                   CVE-2022-20499 CVE-2022-20498 CVE-2022-20497
                   CVE-2022-20496 CVE-2022-20495 CVE-2022-20491
                   CVE-2022-20488 CVE-2022-20487 CVE-2022-20486
                   CVE-2022-20485 CVE-2022-20484 CVE-2022-20483
                   CVE-2022-20482 CVE-2022-20480 CVE-2022-20479
                   CVE-2022-20478 CVE-2022-20477 CVE-2022-20476
                   CVE-2022-20475 CVE-2022-20474 CVE-2022-20473
                   CVE-2022-20472 CVE-2022-20471 CVE-2022-20470
                   CVE-2022-20469 CVE-2022-20468 CVE-2022-20466
                   CVE-2022-20449 CVE-2022-20444 CVE-2022-20442
                   CVE-2022-20411 CVE-2022-20240 CVE-2022-20144
                   CVE-2022-20124 CVE-2021-39795 CVE-2021-39660
                   CVE-2021-39617 CVE-2021-0934 

Original Bulletin: 
   https://source.android.com/docs/security/bulletin/2022-12-01

Comment: CVSS (Max):  7.8* CVE-2022-20144 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Android Security Bulletin-December 2022

Published December 5, 2022

The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of 2022-12-05 or later address
all of these issues. To learn how to check a device's security patch level, see
Check and update your Android version .

Android partners are notified of all issues at least a month before
publication. Source code patches for these issues will be released to the
Android Open Source Project (AOSP) repository in the next 48 hours. We will
revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a critical security vulnerability in the
System component that could lead to remote code execution over Bluetooth with
no additional execution privileges needed. The severity assessment is based on
the effect that exploiting the vulnerability would possibly have on an affected
device, assuming the platform and service mitigations are turned off for
development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on
the Android security platform protections and Google Play Protect, which
improve the security of the Android platform.

Note : Information on the latest over-the-air update (OTA) and firmware images
for Google devices is available in the December 2022 Pixel Update Bulletin .

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform 
and service protections such as Google Play Protect . These capabilities reduce
the likelihood that security vulnerabilities could be successfully exploited on
Android.

  o Exploitation for many issues on Android is made more difficult by
    enhancements in newer versions of the Android platform. We encourage all
    users to update to the latest version of Android where possible.
  o The Android security team actively monitors for abuse through Google Play
    Protect and warns users about Potentially Harmful Applications . Google
    Play Protect is enabled by default on devices with Google Mobile Services ,
    and is especially important for users who install apps from outside of
    Google Play.

2022-12-01 security patch level vulnerability details

In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2022-12-01 patch level. Vulnerabilities are
grouped under the component they affect. Issues are described in the tables
below and include CVE ID, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID. Devices with Android 10
and later may receive security updates as well as Google Play system updates .

Android Runtime

The vulnerability in this section could lead to local information disclosure
with no additional execution privileges needed.

     CVE       References  Type Severity Updated AOSP versions
CVE-2022-20502 A-222166527 ID   High     13

Framework

The most severe vulnerability in this section could lead to remote code
execution with no additional execution privileges needed.

     CVE       References  Type Severity Updated AOSP versions
CVE-2022-20472 A-239210579 RCE  Critical 10, 11, 12, 12L, 13
CVE-2022-20473 A-239267173 RCE  Critical 10, 11, 12, 12L, 13
CVE-2021-39617 A-175190844 EoP  High     11, 12, 12L
CVE-2021-39795 A-201667614 EoP  High     11, 12, 12L, 13
CVE-2022-20124 A-170646036 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20442 A-176094367 EoP  High     10, 11, 12, 12L
CVE-2022-20444 A-197296414 EoP  High     11, 12
CVE-2022-20470 A-234013191 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20474 A-240138294 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20475 A-240663194 EoP  High     11, 12, 12L, 13
CVE-2022-20477 A-241611867 EoP  High     13
CVE-2022-20485 A-242702935 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20486 A-242703118 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20491 A-242703556 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20611 A-242996180 EoP  High     10, 11, 12, 12L, 13
CVE-2021-0934  A-169762606 DoS  High     10, 11, 12, 12L, 13
CVE-2022-20449 A-239701237 DoS  High     10, 11, 12, 12L, 13
CVE-2022-20476 A-240936919 DoS  High     10, 11, 12, 12L
CVE-2022-20482 A-240422263 DoS  High     12, 12L, 13
CVE-2022-20500 A-246540168 DoS  High     10, 11, 12, 12L, 13

Media Framework

The vulnerability in this section could lead to local information disclosure
with no additional execution privileges needed.

     CVE       References  Type Severity Updated AOSP versions
CVE-2022-20496 A-245242273 ID   High     12, 12L, 13

System

The most severe vulnerability in this section could lead to remote code
execution over Bluetooth with no additional execution privileges needed.

     CVE       References  Type Severity Updated AOSP versions
CVE-2022-20411 A-232023771 RCE  Critical 10, 11, 12, 12L, 13
CVE-2022-20498 A-246465319 ID   Critical 10, 11, 12, 12L, 13
CVE-2022-20469 A-230867224 RCE  High     10, 11, 12, 12L, 13
CVE-2022-20144 A-187702830 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20240 A-231496105 EoP  High     12, 12L
CVE-2022-20478 A-241764135 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20479 A-241764340 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20480 A-241764350 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20484 A-242702851 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20487 A-242703202 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20488 A-242703217 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20495 A-243849844 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20501 A-246933359 EoP  High     10, 11, 12, 12L, 13
CVE-2022-20466 A-179725730 ID   Moderate 13
                           ID   High     10, 11, 12, 12L
CVE-2022-20471 A-238177877 ID   High     11, 12, 12L, 13
CVE-2022-20483 A-242459126 ID   High     10, 11, 12, 12L, 13
CVE-2022-20497 A-246301979 ID   High     12, 12L, 13
CVE-2022-20499 A-246539931 DoS  High     12, 12L, 13
CVE-2022-20468 A-228450451 ID   Moderate 10, 11, 12, 12L, 13

Google Play system updates

The following issues are included in Project Mainline components.

    Subcomponent                   CVE
MediaProvider         CVE-2021-39795
Permission Controller CVE-2021-39617, CVE-2022-20442
WiFi                  CVE-2022-20499

2022-12-05 security patch level vulnerability details

In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2022-12-05 patch level. Vulnerabilities are
grouped under the component they affect. Issues are described in the tables
below and include CVE ID, associated references, type of vulnerability ,
severity , and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.

Kernel

The vulnerability in this section could lead to local information disclosure
with no additional execution privileges needed.

     CVE                    References               Type Severity Subcomponent
               A-215557547
               Upstream kernel [ 2 ] [ 3 ] [ 4 ] [ 5
CVE-2022-23960 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ID   High     Kernel
               ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ]
               [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [
               22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ]

Imagination Technologies

This vulnerability affects Imagination Technologies components and further
details are available directly from Imagination Technologies. The severity
assessment of this issue is provided directly by Imagination Technologies.

     CVE        References    Severity Subcomponent
CVE-2021-39660 A-254742984 *  High     PowerVR-GPU

MediaTek components

These vulnerabilities affect MediaTek components and further details are
available directly from MediaTek. The severity assessment of these issues is
provided directly by MediaTek.

     CVE          References     Severity Subcomponent
CVE-2022-32594 A-250331397       High     widevine
               M-ALPS07446207 *
CVE-2022-32596 A-250470698       High     widevine
               M-ALPS07446213 *
CVE-2022-32597 A-250470696       High     widevine
               M-ALPS07446228 *
CVE-2022-32598 A-250470697       High     widevine
               M-ALPS07446228 *
CVE-2022-32619 A-250441021       High     keyinstall
               M-ALPS07439659 *
CVE-2022-32620 A-250441023       High     mpu
               M-ALPS07541753 *

Unisoc components

These vulnerabilities affect Unisoc components and further details are
available directly from Unisoc. The severity assessment of these issues is
provided directly by Unisoc.

     CVE       References   Severity Subcomponent
CVE-2022-39106 A-252398972  High     kernel
               U-1830881 *
CVE-2022-39131 A-252950986  High     Kernel
               U-1914157 *
CVE-2022-39132 A-252951342  High     Kernel
               U-1914157 *
CVE-2022-39133 A-253957345  High     Kernel
               U-1946077 *
CVE-2022-39134 A-253333208  High     Kernel
               U-1947682 *
CVE-2022-42754 A-253344080  High     Kernel
               U-1967614 *
CVE-2022-42755 A-253957344  High     Kernel
               U-1981296 *
CVE-2022-42756 A-253337348  High     Kernel
               U-1967535 *
CVE-2022-42770 A-253978051  High     Kernel
               U-1975103 *
CVE-2022-42771 A-253978040  High     Kenel
               U-1946329 *
CVE-2022-42772 A-253978054  High     kernel
               U-1903041 *
CVE-2022-39129 A-252943954  High     Kernel
               U-1957128 *
CVE-2022-39130 A-252950982  High     Kernel
               U-1957128 *

Qualcomm components

This vulnerability affects Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of this issue is provided directly by Qualcomm.

     CVE           References       Severity Subcomponent
CVE-2022-33268 A-245992426          High     Bluetooth
               QC-CR#3182085 [ 2 ]

Qualcomm closed-source components

These vulnerabilities affect Qualcomm closed-source components and are
described in further detail in the appropriate Qualcomm security bulletin or
security alert. The severity assessment of these issues is provided directly by
Qualcomm.

     CVE        References    Severity      Subcomponent
CVE-2022-25672 A-231156083 *  High     Closed-source component
CVE-2022-25673 A-235102693 *  High     Closed-source component
CVE-2022-25681 A-238106628 *  High     Closed-source component
CVE-2022-25682 A-238102293 *  High     Closed-source component
CVE-2022-25685 A-235102504 *  High     Closed-source component
CVE-2022-25689 A-235102546 *  High     Closed-source component
CVE-2022-25691 A-235102879 *  High     Closed-source component
CVE-2022-25692 A-235102506 *  High     Closed-source component
CVE-2022-25695 A-235102757 *  High     Closed-source component
CVE-2022-25697 A-235102692 *  High     Closed-source component
CVE-2022-25698 A-235102566 *  High     Closed-source component
CVE-2022-25702 A-235102898 *  High     Closed-source component
CVE-2022-33235 A-245402984 *  High     Closed-source component
CVE-2022-33238 A-245402341 *  High     Closed-source component

Common questions and answers

This section answers common questions that may occur after reading this
bulletin.

1. How do I determine if my device is updated to address these issues

To learn how to check a device's security patch level, see Check and update
your Android version .

  o Security patch levels of 2022-12-01 or later address all issues associated
    with the 2022-12-01 security patch level.
  o Security patch levels of 2022-12-05 or later address all issues associated
    with the 2022-12-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string
level to:

  o [ro.build.version.security_patch]:[2022-12-01]
  o [ro.build.version.security_patch]:[2022-12-05]

For some devices on Android 10 or later, the Google Play system update will
have a date string that matches the 2022-12-01 security patch level. Please see
this article for more details on how to install security updates.

2. Why does this bulletin have two security patch levels

This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.

  o Devices that use the 2022-12-01 security patch level must include all
    issues associated with that security patch level, as well as fixes for all
    issues reported in previous security bulletins.
  o Devices that use the security patch level of 2022-12-05 or newer must
    include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.

3. What do the entries in the Type column mean

Entries in the Type column of the vulnerability details table reference the
classification of the security vulnerability.

Abbreviation          Definition
RCE          Remote code execution
EoP          Elevation of privilege
ID           Information disclosure
DoS          Denial of service
N/A          Classification not available

4. What do the entries in the References column mean

Entries under the References column of the vulnerability details table may
contain a prefix identifying the organization to which the reference value
belongs.

Prefix         Reference
A-     Android bug ID
QC-    Qualcomm reference number
M-     MediaTek reference number
N-     NVIDIA reference number
B-     Broadcom reference number
U-     UNISOC reference number

5. What does an * next to the Android bug ID in the References column mean

Issues that are not publicly available have an * next to the corresponding
reference ID. The update for that issue is generally contained in the latest
binary drivers for Pixel devices available from the Google Developer site .

6. Why are security vulnerabilities split between this bulletin and device /
partner security bulletins, such as the Pixel bulletin

Security vulnerabilities that are documented in this security bulletin are
required to declare the latest security patch level on Android devices.
Additional security vulnerabilities that are documented in the device / partner
security bulletins are not required for declaring a security patch level.
Android device and chipset manufacturers may also publish security
vulnerability details specific to their products, such as Google , Huawei , LGE
, Motorola , Nokia , or Samsung .

Versions

Version       Date             Notes
1.0     December 5, 2022 Bulletin Published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY4/9jskNZI30y1K9AQgM7g//WbKsNPev5UVPj++F7IAKpprRmzfdWgO3
qHGimB4KAS6OU/TeQlq9mAMeyHS+e18m4SsDt5d4K5CYBw6PXAezE69o/MF+B+B9
V+MnPdbRF6Ns6Je7JXWRdnFd0ZtlyyXfUzI9giUvbOjAewGBMewZPB4F3P9L7AjV
sV35Qd+VjJpjcYKVKEQmscWqomzz9X3LjUrOLeh2Q2nzrzMlyhM/jStO0CvWLD32
DAHwP6Z+fBSl8YepUfP6mbJ2EWo8lOAlZIe/oEF5WLja/RE5H0KnevmdbThFknwT
VbIPwthOkOeDpnbz9xrXZPd4h9c8pCOK5wzbxgWYK7dODcZL6k/f/vMYCq5RGNRO
1jx/rb30DYmK+W6DtJi79YG5EnenbCs0SJRb0eRQElFeHdnudJr51hqyIiKSUt2W
P415V5E9HlcePH58VVxVn5R51W1bBDMaQufBzXSQDQwIvcZGrXD9DlqSPMbksK7K
l6QZ7b9nnJiCsZX7pkafhAgZJesjP0xLE2a/QlwxoDiPXaYrHV0w/dTYDBlcSVYW
/hk0NLnh9GiJvNP6B3S5ttgXnlAPWQATwcXAO5Q2+t/Mx0KNimSeZeFJUMbAbcwr
YRBdqh/ZFNKSq5p+Hwwlfp2lBgnRKkULARRz5xNlVNODyJbdG5hWL8K+ny6tjMHC
11bLIvdewDU=
=QGQN
-----END PGP SIGNATURE-----