SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Other)  >   Google Android Vendors:   Google
Android Multiple Flaws Let Users Deny Service, Obtain Potentially Sensitive Information, and Gain Elevated Privileges and Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1037968
SecurityTracker URL:  http://securitytracker.com/id/1037968
CVE Reference:   CVE-2014-8709, CVE-2016-10200, CVE-2016-2182, CVE-2016-5856, CVE-2016-5857, CVE-2016-8413, CVE-2016-8416, CVE-2016-8417, CVE-2016-8477, CVE-2016-8478, CVE-2016-8479, CVE-2016-8483, CVE-2016-8484, CVE-2016-8485, CVE-2016-8486, CVE-2016-8487, CVE-2016-8488, CVE-2016-8650, CVE-2016-8655, CVE-2016-9793, CVE-2016-9806, CVE-2017-0306, CVE-2017-0307, CVE-2017-0333, CVE-2017-0334, CVE-2017-0335, CVE-2017-0336, CVE-2017-0337, CVE-2017-0338, CVE-2017-0452, CVE-2017-0453, CVE-2017-0455, CVE-2017-0456, CVE-2017-0457, CVE-2017-0458, CVE-2017-0459, CVE-2017-0460, CVE-2017-0461, CVE-2017-0463, CVE-2017-0464, CVE-2017-0466, CVE-2017-0467, CVE-2017-0468, CVE-2017-0469, CVE-2017-0470, CVE-2017-0471, CVE-2017-0472, CVE-2017-0473, CVE-2017-0474, CVE-2017-0475, CVE-2017-0476, CVE-2017-0477, CVE-2017-0478, CVE-2017-0479, CVE-2017-0480, CVE-2017-0481, CVE-2017-0482, CVE-2017-0483, CVE-2017-0484, CVE-2017-0485, CVE-2017-0486, CVE-2017-0487, CVE-2017-0488, CVE-2017-0489, CVE-2017-0490, CVE-2017-0491, CVE-2017-0492, CVE-2017-0494, CVE-2017-0495, CVE-2017-0496, CVE-2017-0497, CVE-2017-0498, CVE-2017-0499, CVE-2017-0500, CVE-2017-0501, CVE-2017-0502, CVE-2017-0503, CVE-2017-0504, CVE-2017-0505, CVE-2017-0506, CVE-2017-0507, CVE-2017-0508, CVE-2017-0509, CVE-2017-0510, CVE-2017-0516, CVE-2017-0517, CVE-2017-0518, CVE-2017-0519, CVE-2017-0520, CVE-2017-0521, CVE-2017-0522, CVE-2017-0523, CVE-2017-0524, CVE-2017-0525, CVE-2017-0526, CVE-2017-0527, CVE-2017-0528, CVE-2017-0529, CVE-2017-0531, CVE-2017-0532, CVE-2017-0533, CVE-2017-0534, CVE-2017-0535, CVE-2017-0536, CVE-2017-0537   (Links to External Site)
Date:  Mar 8 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Android. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions on the target system. A remote user can gain elevated privileges. A remote user can obtain potentially sensitive information on the target system.

Remote code execution may occur in the OpenSSL and BoringSSL components [CVE-2016-2182].

Remote code execution may occur in the Mediaserver component [CVE-2017-0466, CVE-2017-0467, CVE-2017-0468, CVE-2017-0469, CVE-2017-0470, CVE-2017-0471, CVE-2017-0472, CVE-2017-0473, CVE-2017-0474].

Privilege escalation may occur in the recovery verifier component [CVE-2017-0475].

Remote code execution may occur in the AOSP Messaging component [CVE-2017-0476].

Remote code execution may occur in the libgdx component [CVE-2017-0477].

Remote code execution may occur in the Framesequence library component [CVE-2017-0478].

Privilege escalation may occur in the NFC component [CVE-2017-0481].

Privilege escalation may occur in the Audioserver component [CVE-2017-0479, CVE-2017-0480].

Denial of service conditions may occur in the Mediaserver component [CVE-2017-0482, CVE-2017-0483, CVE-2017-0484, CVE-2017-0485, CVE-2017-0486, CVE-2017-0487, CVE-2017-0488].

Privilege escalation may occur in the Location Manager component [CVE-2017-0489].

Privilege escalation may occur in the Wi-Fi component [CVE-2017-0490].

Privilege escalation may occur in the Package Manager component [CVE-2017-0491].

Privilege escalation may occur in the System UI component [CVE-2017-0492].

Information disclosure may occur in the AOSP Messaging component [CVE-2017-0494].

Information disclosure may occur in the Mediaserver component [CVE-2017-0495].

Denial of service conditions may occur in the Setup Wizard component [CVE-2017-0496].

Denial of service conditions may occur in the Mediaserver component [CVE-2017-0497].

Denial of service conditions may occur in the Setup Wizard component [CVE-2017-0498].

Denial of service conditions may occur in the Audioserver component [CVE-2017-0499].

Privilege escalation may occur in the MediaTek components component [CVE-2017-0500, CVE-2017-0501, CVE-2017-0502, CVE-2017-0503, CVE-2017-0504, CVE-2017-0505, CVE-2017-0506].

Privilege escalation may occur in the NVIDIA GPU driver component [CVE-2017-0337, CVE-2017-0338, CVE-2017-0333, CVE-2017-0306, CVE-2017-0335].

Privilege escalation may occur in the kernel ION subsystem component [CVE-2017-0507, CVE-2017-0508].

Privilege escalation may occur in the Broadcom Wi-Fi driver component [CVE-2017-0509].

Privilege escalation may occur in the kernel FIQ debugger component [CVE-2017-0510].

Privilege escalation may occur in the Qualcomm GPU driver component [CVE-2016-8479].

Privilege escalation may occur in the kernel networking subsystem component [CVE-2016-9806, CVE-2016-10200].

Vulnerabilities may occur in Qualcomm components [CVE-2016-8484, CVE-2016-8485, CVE-2016-8486, CVE-2016-8487, CVE-2016-8488].

Privilege escalation may occur in the kernel networking subsystem component [CVE-2016-8655, CVE-2016-9793].

Privilege escalation may occur in the Qualcomm input hardware driver component [CVE-2017-0516].

Privilege escalation may occur in the MediaTek Hardware Sensor Driver component [CVE-2017-0517].

Privilege escalation may occur in the Qualcomm ADSPRPC driver component [CVE-2017-0457].

Privilege escalation may occur in the Qualcomm fingerprint sensor driver component [CVE-2017-0518, CVE-2017-0519].

Privilege escalation may occur in the Qualcomm crypto engine driver component [CVE-2017-0520].

Privilege escalation may occur in the Qualcomm camera driver component [CVE-2017-0458, CVE-2017-0521].

Privilege escalation may occur in the MediaTek APK component [CVE-2017-0522].

Privilege escalation may occur in the Qualcomm Wi-Fi driver component [CVE-2017-0464, CVE-2017-0453, CVE-2017-0523].

Privilege escalation may occur in the Synaptics touchscreen driver component [CVE-2017-0524].

Privilege escalation may occur in the Qualcomm IPA driver component [CVE-2017-0456, CVE-2017-0525].

Privilege escalation may occur in the HTC Sensor Hub Driver component [CVE-2017-0526, CVE-2017-0527].

Privilege escalation may occur in the NVIDIA GPU driver component [CVE-2017-0307].

Privilege escalation may occur in the Qualcomm networking driver component [CVE-2017-0463, CVE-2017-0460].

Privilege escalation may occur in the kernel security subsystem component [CVE-2017-0528].

Privilege escalation may occur in the Qualcomm SPCom driver component [CVE-2016-5856, CVE-2016-5857].

Information disclosure may occur in the kernel networking subsystem component [CVE-2014-8709].

Information disclosure may occur in the MediaTek driver component [CVE-2017-0529].

Information disclosure may occur in the Qualcomm bootloader component [CVE-2017-0455].

Information disclosure may occur in the Qualcomm power driver component [CVE-2016-8483].

Information disclosure may occur in the NVIDIA GPU driver component [CVE-2017-0334, CVE-2017-0336].

Denial of service conditions may occur in the kernel cryptographic subsystem component [CVE-2016-8650].

Privilege escalation may occur in the Qualcomm camera driver (device specific) component [CVE-2016-8417].

Information disclosure may occur in the Qualcomm Wi-Fi driver component [CVE-2017-0461, CVE-2017-0459, CVE-2017-0531].

Information disclosure may occur in the MediaTek video codec driver component [CVE-2017-0532].

Information disclosure may occur in the Qualcomm video driver component [CVE-2017-0533, CVE-2017-0534, CVE-2016-8416, CVE-2016-8478].

Information disclosure may occur in the Qualcomm camera driver component [CVE-2016-8413, CVE-2016-8477].

Information disclosure may occur in the HTC sound codec driver component [CVE-2017-0535].

Information disclosure may occur in the Synaptics touchscreen driver component [CVE-2017-0536].

Information disclosure may occur in the kernel USB gadget driver component [CVE-2017-0537].

Information disclosure may occur in the Qualcomm camera driver component [CVE-2017-0452].

Alexander Potapenko of Google Dynamic Tools team, Baozeng Ding, Ning You, Chengming Yang, Peng Xiao, and Yang Song of Alibaba Mobile Security Group, Billy Lau of Android Security, Di Shen of KeenLab, Tencent, En He and Bo Liu of MS509Team, Gengjia Chen and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd., Hao Chen and Guang Gong of Alpha Team, Qihoo 360 Technology Co. Ltd., Hiroki Yamamoto and Fang Chen of Sony Mobile Communications Inc., IBM Security X-Force Researchers Sagi Kedmi and Roee Hay,
Jianjun Dai of Qihoo 360 Skyeye Labs, Jianqiang Zhao and pjf of IceSword Lab, Qihoo 360, Lubo Zhang, Tong Lin, Yuan-Tsung Lo, and Xuxian Jiang of C0RE Team, Makoto Onuki of Google, Mingjian Zhou, and Hanxiang Wen of C0RE Team, Nathan Crandall, Nathan Crandall of Tesla Motors Product Security Team, Pengfei Ding, Chenfu Bao, Lenx Wei of Baidu X-Lab, Qidan He of KeenLab, Tencent, Qing Zhang of Qihoo 360 and Guangdong Bai of Singapore Institute of Technology, Quhe and wanchouchou of Ant-financial Light-Year Security Lab, Sahara of Secure Communications in DarkMatter, Scott Bauer,
Sean Beaupre, Seven Shen of Trend Micro, Shinichi Matsumoto of Fujitsu, Stephane Marques of ByteRev, Svetoslav Ganov of Google, V.E.O of Mobile Threat Response Team, Trend Micro, Wish Wu of Ant-financial Light-Year Security Lab, Yu Pan of Vulpecker Team, Qihoo 360 Technology Co. Ltd, Yuqi Lu, Wenke Dou, and Dacheng Shao of C0RE Team, derrek, Scott Bauer, and salls of Shellphish Grill Team, UC Santa Barbara, reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause denial of service conditions.

A remote user can gain elevated privileges on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (patch level 2017-03-01, patch level 2017-03-05).

The vendor advisory is available at:

https://source.android.com/security/bulletin/2017-03-01.html

Vendor URL:  source.android.com/security/bulletin/2017-03-01.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC