|
|
|
Google Android Multiple Flaws Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code and Let Local Apps Gain Elevated Privileges
|
SecurityTracker Alert ID: 1038623 |
SecurityTracker URL: http://securitytracker.com/id/1038623
|
CVE Reference:
CVE-2014-9953, CVE-2014-9954, CVE-2014-9955, CVE-2014-9956, CVE-2014-9957, CVE-2014-9958, CVE-2014-9959, CVE-2014-9960, CVE-2014-9961, CVE-2014-9962, CVE-2014-9963, CVE-2014-9964, CVE-2014-9965, CVE-2014-9966, CVE-2014-9967, CVE-2015-7995, CVE-2015-8871, CVE-2015-9008, CVE-2015-9009, CVE-2015-9010, CVE-2015-9011, CVE-2015-9012, CVE-2015-9013, CVE-2015-9014, CVE-2015-9015, CVE-2015-9020, CVE-2015-9021, CVE-2015-9022, CVE-2015-9023, CVE-2015-9024, CVE-2015-9025, CVE-2015-9026, CVE-2015-9027, CVE-2015-9028, CVE-2015-9029, CVE-2015-9030, CVE-2015-9031, CVE-2015-9032, CVE-2015-9033, CVE-2016-10298, CVE-2016-10299, CVE-2016-10332, CVE-2016-10333, CVE-2016-10334, CVE-2016-10335, CVE-2016-10336, CVE-2016-10337, CVE-2016-10338, CVE-2016-10339, CVE-2016-10340, CVE-2016-10341, CVE-2016-10342, CVE-2016-1839, CVE-2016-4658, CVE-2016-5131, CVE-2016-5861, CVE-2016-5864, CVE-2016-8332, CVE-2017-0391, CVE-2017-0636, CVE-2017-0637, CVE-2017-0638, CVE-2017-0639, CVE-2017-0640, CVE-2017-0641, CVE-2017-0642, CVE-2017-0643, CVE-2017-0644, CVE-2017-0645, CVE-2017-0646, CVE-2017-0647, CVE-2017-0648, CVE-2017-0649, CVE-2017-0650, CVE-2017-0651, CVE-2017-0663, CVE-2017-5056, CVE-2017-6247, CVE-2017-6248, CVE-2017-6249, CVE-2017-6421, CVE-2017-7364, CVE-2017-7365, CVE-2017-7366, CVE-2017-7367, CVE-2017-7368, CVE-2017-7369, CVE-2017-7370, CVE-2017-7371, CVE-2017-7372, CVE-2017-7373, CVE-2017-7375, CVE-2017-7376, CVE-2017-8233, CVE-2017-8234, CVE-2017-8235, CVE-2017-8236, CVE-2017-8237, CVE-2017-8239, CVE-2017-8240, CVE-2017-8241, CVE-2017-8242
(Links to External Site)
|
Date: Jun 7 2017
|
Impact:
Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Multiple vulnerabilities were reported in Google Android. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions on the target system. A local user can obtain elevated privileges on the target system. A remote user can obtain potentially sensitive information on the target system.
A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code or cause denial of service conditions on the target system.
A local application can gain elevated privileges on the target system.
A remote user can obtain potentially sensitive information on the target system.
Bluetooth is affected [CVE-2017-0639, CVE-2017-0645, CVE-2017-0646].
Various libraries are affected [CVE-2015-7995, CVE-2015-8871, CVE-2016-1839, CVE-2016-4658, CVE-2016-5131, CVE-2016-8332, CVE-2017-0647, CVE-2017-0663, CVE-2017-5056, CVE-2017-7375, CVE-2017-7376].
Media framework is affected [CVE-2017-0391, CVE-2017-0637, CVE-2017-0640, CVE-2017-0641, CVE-2017-0642, CVE-2017-0643, CVE-2017-0644].
System UI is affected [CVE-2017-0638].
Kernel components are affected [CVE-2017-0648, CVE-2017-0651].
MediaTek components are CVE-2015-7995 [CVE-2017-0636, CVE-2017-0649].
NVIDIA components are CVE-2015-7995 [CVE-2017-6247, CVE-2017-6248].
Qualcomm components are CVE-2015-7995 [CVE-2016-5861, CVE-2016-5864, CVE-2017-6421, CVE-2017-7364, CVE-2017-7365, CVE-2017-7366, CVE-2017-7367, CVE-2017-7368, CVE-2017-7369, CVE-2017-7370, CVE-2017-7371, CVE-2017-7372, CVE-2017-7373, CVE-2017-8233, CVE-2017-8234, CVE-2017-8235, CVE-2017-8236, CVE-2017-8237, CVE-2017-8239, CVE-2017-8240, CVE-2017-8241, CVE-2017-8242].
Synaptics components are CVE-2015-7995 [CVE-2017-0650].
Ecular Xu of Trend Micro, En He (@heeeeen4x) and Bo Liu of MS509Team, Gengjia Chen (@chengjia4574) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd., Godzheng (@VirtualSeekers) of Tencent PC Manager,
Jake Corina and Nick Stephens of Shellphish Grill Team, Jianqiang Zhao (@jianqiangzhao) of IceSword Lab, Qihoo 360, Lubo Zhang (zlbzlb815@163.com), Yuan-Tsung Lo (computernik@gmail.com), and Xuxian Jiang of C0RE Team, Nathan Crandall (@natecray) of Tesla's Product Security Team, Omer Shwartz, Amir Cohen, Dr. Asaf Shabtai, and Dr. Yossi Oren of Ben Gurion University Cyber Lab, Roee Hay (@roeehay) of Aleph Research, HCL Technologies, sevenshen (@lingtongshen) of TrendMicro, Vasily Vasiliev, V.E.O (@VYSEa) of Mobile Threat Response Team, Trend Micro, Xiling Gong of Tencent Security Platform Department, Yangkang (@dnpushme) and Liyadong of Qex Team, Qihoo 360, Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd, and Zubin Mithra of Google reported these vulnerabilities.
|
Impact:
A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code or cause denial of service conditions on the target system.
A local application can gain elevated privileges on the target system.
A remote user can obtain potentially sensitive information on the target system.
|
Solution:
The vendor has issued a fix (security patch levels 2017-06-01 and 2017-06-05).
The vendor advisory is available at:
https://source.android.com/security/bulletin/2017-06-01
|
Vendor URL: source.android.com/security/bulletin/2017-06-01 (Links to External Site)
|
Cause:
Access control error, Boundary error, Input validation error
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|
Go to the Top of This SecurityTracker Archive Page
|