SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Other)  >   Google Android Vendors:   Google
Google Android Multiple Flaws Let Users Deny Service, Obtain Potentially Sensitive Information, and Gain Elevated Privileges and Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1037798
SecurityTracker URL:  http://securitytracker.com/id/1037798
CVE Reference:   CVE-2014-9914, CVE-2016-10044, CVE-2016-5552, CVE-2016-8414, CVE-2016-8418, CVE-2016-8419, CVE-2016-8420, CVE-2016-8421, CVE-2016-8476, CVE-2016-8480, CVE-2016-8481, CVE-2017-0405, CVE-2017-0406, CVE-2017-0407, CVE-2017-0408, CVE-2017-0409, CVE-2017-0410, CVE-2017-0411, CVE-2017-0412, CVE-2017-0413, CVE-2017-0414, CVE-2017-0415, CVE-2017-0416, CVE-2017-0417, CVE-2017-0418, CVE-2017-0419, CVE-2017-0420, CVE-2017-0421, CVE-2017-0422, CVE-2017-0423, CVE-2017-0424, CVE-2017-0425, CVE-2017-0426, CVE-2017-0427, CVE-2017-0428, CVE-2017-0429, CVE-2017-0430, CVE-2017-0431, CVE-2017-0432, CVE-2017-0433, CVE-2017-0434, CVE-2017-0435, CVE-2017-0436, CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, CVE-2017-0440, CVE-2017-0441, CVE-2017-0442, CVE-2017-0443, CVE-2017-0444, CVE-2017-0445, CVE-2017-0446, CVE-2017-0447, CVE-2017-0448, CVE-2017-0449, CVE-2017-0450, CVE-2017-0451   (Links to External Site)
Date:  Feb 9 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Google Android. A remote user can cause arbitrary code to be executed on the target user's system. A user can cause denial of service conditions on the target system. An application can obtain elevated privileges on the target system. A user can obtain potentially sensitive information on the target system.

Remote code execution may occur in the Surfaceflinger component [CVE-2017-0405].

Remote code execution may occur in the Mediaserver component [CVE-2017-0406, CVE-2017-0407].

Remote code execution may occur in the libgdx component [CVE-2017-0408].

Remote code execution may occur in the libstagefright component [CVE-2017-0409].

Privilege escalation may occur in the Java.Net component [CVE-2016-5552].

Privilege escalation may occur in the Framework APIs component [CVE-2017-0410, CVE-2017-0411, CVE-2017-0412].

Privilege escalation may occur in the Mediaserver component [CVE-2017-0415].

Privilege escalation may occur in the Audioserver component [CVE-2017-0416, CVE-2017-0417, CVE-2017-0418, CVE-2017-0419].

Information disclosure may occur in the AOSP Mail component [CVE-2017-0420].

Information disclosure may occur in the AOSP Messaging component [CVE-2017-0413, CVE-2017-0414].

Information disclosure may occur in the Framework APIs component [CVE-2017-0421].

Denial of service conditions may occur in the Bionic DNS component [CVE-2017-0422].

Privilege escalation may occur in the Bluetooth component [CVE-2017-0423].

Information disclosure may occur in the AOSP Messaging component [CVE-2017-0424].

Information disclosure may occur in the Audioserver component [CVE-2017-0425].

Information disclosure may occur in the Filesystem component [CVE-2017-0426].

Remote code execution may occur in the Qualcomm crypto driver component [CVE-2016-8418].

Privilege escalation may occur in the kernel file system component [CVE-2017-0427].

Privilege escalation may occur in the NVIDIA GPU driver component [CVE-2017-0428, CVE-2017-0429].

Privilege escalation may occur in the kernel networking subsystem component [CVE-2014-9914].

Privilege escalation may occur in the Broadcom Wi-Fi driver component [CVE-2017-0430].

Various errors may occur in Qualcomm components [CVE-2017-0431].

Privilege escalation may occur in the MediaTek driver component [CVE-2017-0432].

Privilege escalation may occur in the Synaptics touchscreen driver component [CVE-2017-0433, CVE-2017-0434].

Privilege escalation may occur in the Qualcomm Secure Execution Environment Communicator driver component [CVE-2016-8480].

Privilege escalation may occur in the Qualcomm sound driver component [CVE-2016-8481, CVE-2017-0435, CVE-2017-0436].

Privilege escalation may occur in the Qualcomm Wi-Fi driver component [CVE-2017-0437, CVE-2017-0438, CVE-2017-0439, CVE-2016-8419, CVE-2016-8420, CVE-2016-8421, CVE-2017-0440, CVE-2017-0441, CVE-2017-0442, CVE-2017-0443, CVE-2016-8476].

Privilege escalation may occur in the Realtek sound driver component [CVE-2017-0444].

Privilege escalation may occur in the HTC touchscreen driver component [CVE-2017-0445, CVE-2017-0446, CVE-2017-0447].

Information disclosure may occur in the NVIDIA video driver component [CVE-2017-0448].

Privilege escalation may occur in the Broadcom Wi-Fi driver component [CVE-2017-0449].

Privilege escalation may occur in the Audioserver component [CVE-2017-0450].

Privilege escalation may occur in the kernel file system component [CVE-2016-10044].

Information disclosure may occur in the Qualcomm Secure Execution Environment Communicator component [CVE-2016-8414].

Information disclosure may occur in the Qualcomm sound driver component [CVE-2017-0451].

Daniel Dakhno, Daniel Micay of Copperhead Security, Dzmitry Lukyanenka, Frank Liberato of Chrome, Gal Beniamini of Project Zero, Gengjia Chen and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd., Guang Gong of Alpha Team, Qihoo 360 Technology Co.Ltd, Hanxiang Wen, Wenke Dou, Mingjian Zhou, and Xuxian Jiang of C0RE Team, Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd., Jeff Sharkey of Google, Jeff Trim,
Jianqiang Zhao and pjf of IceSword Lab, Qihoo 360, Max Spector of Google, Mingjian Zhou, Yuqi Lu, and Xuxian Jiang of C0RE Team, Qidan He and Di Shen of KeenLab, Tencent, Sagi Kedmi of IBM X-Force Research, Scott Bauer and Daniel Micay of Copperhead Security, Seven Shen of Trend Micro Mobile Threat Research Team, Tong Lin, Yuan-Tsung Lo, Chiachih Wu, and Xuxian Jiang of C0RE Team, V.E.O of Mobile Threat Response Team, Trend Micro, Weichao Sun of Alibaba Inc., Wenke Dou, Hongli Han, Mingjian Zhou, and Xuxian Jiang of C0RE Team, Wenke Dou,
Yuqi Lu, Mingjian Zhou, and Xuxian Jiang of C0RE Team, Wish Wu of Ant-financial Light-Year Security Lab, Yao Jun, Yuan-Tsung Lo, Chiachih Wu, and Xuxian Jiang of C0RE Team, Yuan-Tsung Lo, Tong Lin, Chiachih Wu, and Xuxian Jiang of C0RE Team, Yuan-Tsung Lo, Xiaodong Wang, Chiachih Wu, and Xuxian Jiang of C0RE Team, Yuan-Tsung Lo, Chiachih Wu, and Xuxian Jiang of C0RE Team, Zhen Zhou and Zhixin Li of NSFocus, and ma.la and Nikolay Elenkov of LINE Corporation reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A user can cause denial of service conditions.

An application can obtain elevated privileges on the target system.

A user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (2017-02-01 security patch level, 2017-02-05 security patch level).

The vendor advisory is available at:

https://source.android.com/security/bulletin/2017-02-01.html

Vendor URL:  source.android.com/security/bulletin/2017-02-01.html (Links to External Site)
Cause:   Not specified

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC