TTCSIRT-096.030718: TT-CSIRT Advisory – Android Security Updates
Google has reported that multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for arbitrary code execution within the context of a privileged process.
Details of these vulnerabilities are as follows:
a) Multiple elevation of privilege vulnerabilities in Kernel components – (CVE-2017-16525, CVE-2017-16530)
b) Multiple information disclosure vulnerabilities in Kernel components – (CVE-2017-16529, CVE-2017-16531, CVE-2017-16533, CVE-2017-16535)
c) Multiple arbitrary code vulnerabilities in Media framework – (CVE-2017-13248, CVE-2017-13249, CVE-2017-13250)
d) Multiple elevation of privilege vulnerabilities in Media framework – (CVE-2017-13251, CVE-2017-13252, CVE-2017-13253)
e) Multiple elevation of privilege vulnerabilities in NVIDIA components – (CVE-2017-6281, CVE-2017-6286)
f) A vulnerability in Qualcomm closed-source components – (CVE-2017-17773, CVE-2016-10393)
g) A denial of service vulnerability in Qualcomm components – (CVE-2017-14878)
h) Multiple information disclosure vulnerabilities in Qualcomm components – (CVE-2017-14882, CVE-2017-18069)
i) Multiple elevation of privilege vulnerabilities in Qualcomm components – (CVE-2017-14885, CVE-2017-15821, CVE-2017-18056, CVE-2017-18063, CVE-2017-18064, CVE-2017-18068)
j) Multiple arbitrary code vulnerabilities in Qualcomm components – (CVE-2017-15815, CVE-2017-18067)
k) Multiple arbitrary code vulnerabilities in System – (CVE-2017-13255, CVE-2017-13256, CVE-2017-13266, CVE-2017-13272)
l) Multiple information disclosure vulnerabilities in System – (CVE-2017-13257, CVE-2017-13258, CVE-2017-13259, CVE-2017-13260, CVE-2017-13261, CVE-2017-13262)
These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files.
Further information on these vulnerabilities and how they can be mitigated can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-arbitrary-code-execution_2018-024/ |