MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2017-001

DATE(S) ISSUED:
01/04/2017

SUBJECT:
Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild

SYSTEMS AFFECTED:

• Android OS builds utilizing Security Patch Levels prior to January 05, 2017

RISK:

Government:

• Large and medium government entities:High

• Small government:High

Businesses:

• Large and medium business entities: High

• Small business entities: High

Home users: Low

TECHNICAL SUMMARY:

Google Android OS is prone to multiple vulnerabilities, the most severe of which could allow for remote code execution. The vulnerabilities are as follows:

• Remote code execution vulnerability in Mediaserver (CVE-2017-0381).
• Remote code execution vulnerability in c-ares (CVE-2016-5180).
• Remote code execution vulnerability in Framesequence (CVE-2017-0382).
• Elevation of privilege vulnerability in Framework APIs (CVE-2017-0383).
• Multiple elevation of privilege vulnerabilities in Audioserver (CVE-2017-0384, CVE-2017-0385).
• Elevation of privilege vulnerability in libnl (CVE-2017-0386).
• Elevation of privilege vulnerability in Mediaserver (CVE-2017-0387).
• Information disclosure vulnerability in External Storage Provider (CVE-2017-0388).
• Denial of service vulnerability in core networking (CVE-2017-0389).
• Multiple denial of service vulnerabilities in Mediaserver (CVE-2017-0390, CVE-2017-0391, CVE-2017-0392, CVE-2017-0393).
• Denial of service vulnerability in Telephony (CVE-2017-0394).
• Elevation of privilege vulnerability in Contacts (CVE-2017-0395).
• Multiple information disclosure vulnerabilities in Mediaserver (CVE-2017-0396, CVE-2017-0397).
• Multiple information disclosure vulnerabilities in Audioserver (CVE-2017-0398, CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402).
• Elevation of privilege vulnerability in kernel memory subsystem (CVE-2015-3288).
• Multiple elevation of privilege vulnerabilities in Qualcomm bootloader (CVE-2016-8422, CVE-2016-8423).
• Elevation of privilege vulnerability in kernel file system (CVE-2015-5706).
• Multiple elevation of privilege vulnerabilities in NVIDIA GPU driver (CVE-2016-8424, CVE-2016-8425, CVE-2016-8426, CVE-2016-8482, CVE-2016-8427, CVE-2016-8428, CVE-2016-8429, CVE-2016-8430, CVE-2016-8431, CVE-2016-8432).
•Elevation of privilege vulnerability in MediaTek driver (CVE-2016-8433).
• Elevation of privilege vulnerability in Qualcomm GPU driver (CVE-2016-8434).
• Elevation of privilege vulnerability in NVIDIA GPU driver (CVE-2016-8435).
• Elevation of privilege vulnerability in Qualcomm video driver (CVE-2016-8436).
•Multiple vulnerabilities in Qualcomm components (CVE-2016-5080, CVE-2016-8398, CVE-2016-8437, CVE-2016-8438, CVE-2016-8439, CVE-2016-8440, CVE-2016-8441, CVE-2016-8442, CVE-2016-8443, CVE-2016-8459).
• Multiple elevation of privilege vulnerabilities in Qualcomm camera (CVE-2016-8412, CVE-2016-8444).
• Multiple elevation of privilege vulnerabilities in MediaTek components (CVE-2016-8445, CVE-2016-8446, CVE-2016-8447, CVE-2016-8448).
• Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (CVE-2016-8415).
• Elevation of privilege vulnerability in NVIDIA GPU driver (CVE-2016-8449).
• Elevation of privilege vulnerability in Qualcomm sound driver (CVE-2016-8450).
• Elevation of privilege vulnerability in Synaptics touchscreen driver (CVE-2016-8451).
• Elevation of privilege vulnerability in kernel security subsystem (CVE-2016-7042).
• Elevation of privilege vulnerability in kernel performance subsystem (CVE-2017-0403).
• Elevation of privilege vulnerability in kernel sound subsystem (CVE-2017-0404).
• Elevation of privilege vulnerability in Qualcomm Wi-Fi driver (CVE-2016-8452).
• Elevation of privilege vulnerability in Qualcomm radio driver (CVE-2016-5345).
• Elevation of privilege vulnerability in kernel profiling subsystem (CVE-2016-9754).
• Multiple elevation of privilege vulnerabilities in Broadcom Wi-Fi driver (CVE-2016-8453, CVE-2016-8454, CVE-2016-8455, CVE-2016-8456, CVE-2016-8457).
• Elevation of privilege vulnerability in Synaptics touchscreen driver (CVE-2016-8458).
• Information disclosure vulnerability in NVIDIA video driver (CVE-2016-8460).
• Information disclosure vulnerability in bootloader (CVE-2016-8461, CVE-2016-8462).
• Denial of service vulnerability in Qualcomm FUSE file system (CVE-2016-8463).
• Denial of service vulnerability in bootloader (CVE-2016-8467).
• Multiple elevation of privilege vulnerabilities in Broadcom Wi-Fi driver (CVE-2016-8464, CVE-2016-8465, CVE-2016-8466).
• Elevation of privilege vulnerability in bootloader (CVE-2016-8467).
• Elevation of privilege vulnerability in Binder (CVE-2016-8468).
• Information disclosure vulnerability in NVIDIA camera driver (CVE-2016-8469).
• Multiple information disclosure vulnerabilities in MediaTek driver (CVE-2016-8470, CVE-2016-8471, CVE-2016-8472).
• Information disclosure vulnerability in STMicroelectronics driver (CVE-2016-8473, CVE-2016-8474).
• Multiple information disclosure vulnerabilities in Qualcomm audio post processor (CVE-2017-0399, CVE-2017-0400, CVE-2017-0401, CVE-2017-0402).
• Information disclosure vulnerability in HTC input driver (CVE-2016-8475).
• Denial of service vulnerability in kernel file system (CVE-2014-9420).

 


Successful exploitation of the most severe of these vulnerabilities could result in remote code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.

• Remind users to download apps only from trusted vendors in the Play Store.

•Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

 

REFERENCES:

Google:

https://source.android.com/security/bulletin/2017-01-01.html  

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3288

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5706

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5080

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5180

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5345

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7042

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8398

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8412

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8415

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8422

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8423

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8424

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8425

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8426

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8427

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8428

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8429

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8430

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8431

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8432

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8433

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8434

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8435

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8436

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8437

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8438

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8439

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8440

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8441

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8442

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8443

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8444

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8445

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8446

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8447

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8448

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8449

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8450

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8451

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8452

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8453

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8454

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8455

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8456

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8457

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8458

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8459

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8460

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8461

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8462

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8463

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8464

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8465

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8466

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8467

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8468

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8469

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8470

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8471

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8472

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8473

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8474

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8475

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8482

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9754

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0381

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0382

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0383

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0384

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0385

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0386

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0387

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0388

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0389

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0390

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0391

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0392

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0393

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0394 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0395

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0396

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0397

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0398

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0399

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0400

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0401

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0402

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0403