Google releases March 2017 Android Security Bulletin and Google Device Images

0 73,992

Google has released the March 2017 Android Security Bulletin. Partners have had access to the warnings in this month’s bulletin since February 06, 2017 or earlier.

The March bulletin has two security patch levels to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices.

  • 2017-03-01: Partial security patch level string. This security patch level string indicates that all issues associated with 2017-03-01 (and all previous security patch level strings) are addressed.
  • 2017-03-05: Complete security patch level string. This security patch level string indicates that all issues associated with 2017-03-01 and 2017-03-05 (and all previous security patch level strings) are addressed

Supported Google devices will receive a single OTA update with the March 05, 2017 security patch level

Google releases March 2017 Android Security Bulletin and Google Device Images

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

Alongside the bulletin, Google have released a security update to Google devices through an over-the-air (OTA) update. The Google device firmware images have also been released to the Google Developer site. Security patch levels of March 05, 2017 or later address all of these issues.

The tables below contains a list of security vulnerabilities, the Common Vulnerability and Exposures ID (CVE), the assessed severity, and whether or not Google devices are affected. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed.

Security patch levels of 2017-03-01 or later must address the following issues.

IssueCVESeverityAffects Google devices?
Remote code execution vulnerability in OpenSSL & BoringSSLCVE-2016-2182CriticalYes
Remote code execution vulnerability in MediaserverCVE-2017-0466, CVE-2017-0467, CVE-2017-0468, CVE-2017-0469, CVE-2017-0470, CVE-2017-0471, CVE-2017-0472, CVE-2017-0473, CVE-2017-0474CriticalYes
Elevation of privilege vulnerability in recovery verifierCVE-2017-0475CriticalYes
Remote code execution vulnerability in AOSP MessagingCVE-2017-0476HighYes
Remote code execution vulnerability in libgdxCVE-2017-0477HighYes
Remote code execution vulnerability in Framesequence libraryCVE-2017-0478HighYes
Elevation of privilege vulnerability in AudioserverCVE-2017-0479, CVE-2017-0480HighYes
Elevation of privilege vulnerability in NFCCVE-2017-0481HighYes
Denial of service vulnerability in MediaserverCVE-2017-0482, CVE-2017-0483, CVE-2017-0484, CVE-2017-0485, CVE-2017-0486, CVE-2017-0487, CVE-2017-0488HighYes
Update: Denial of service vulnerability in MediaserverCVE-2017-0390HighYes
Update: Denial of service vulnerability in MediaserverCVE-2017-0392HighYes
Elevation of privilege vulnerability in Location ManagerCVE-2017-0489ModerateYes
Elevation of privilege vulnerability in Wi-FiCVE-2017-0490ModerateYes
Elevation of privilege vulnerability in Package ManagerCVE-2017-0491ModerateYes
Elevation of privilege vulnerability in System UICVE-2017-0492ModerateYes
Information disclosure vulnerability in AOSP MessagingCVE-2017-0494ModerateYes
Information disclosure vulnerability in MediaserverCVE-2017-0495ModerateYes
Denial of service vulnerability in Setup WizardCVE-2017-0496ModerateYes
Denial of service vulnerability in MediaserverCVE-2017-0497ModerateYes
Denial of service vulnerability in Setup WizardCVE-2017-0498ModerateNo*
Denial of service vulnerability in AudioserverCVE-2017-0499LowYes

 

Security patch levels of 2017-03-05 or later must address all of the 2017-01-01 issues, as well as the following issues.

IssueCVESeverityAffects Google devices?
Elevation of privilege vulnerability in MediaTek componentsCVE-2017-0500, CVE-2017-0501, CVE-2017-0502, CVE-2017-0503, CVE-2017-0504, CVE-2017-0505, CVE-2017-0506CriticalNo*
Elevation of privilege vulnerability in NVIDIA GPU driverCVE-2017-0337, CVE-2017-0338, CVE-2017-0333, CVE-2017-0306, CVE-2017-0335CriticalYes
Elevation of privilege vulnerability in kernel ION subsystemCVE-2017-0507, CVE-2017-0508CriticalYes
Elevation of privilege vulnerability in Broadcom Wi-Fi driverCVE-2017-0509CriticalNo*
Elevation of privilege vulnerability in kernel FIQ debuggerCVE-2017-0510CriticalYes
Elevation of privilege vulnerability in Qualcomm GPU driverCVE-2016-8479CriticalYes
Elevation of privilege vulnerability in kernel networking subsystemCVE-2016-9806, CVE-2016-10200CriticalYes
Vulnerabilities in Qualcomm componentsCVE-2016-8484, CVE-2016-8485, CVE-2016-8486, CVE-2016-8487, CVE-2016-8488CriticalNo*
Elevation of privilege vulnerability in kernel networking subsystemCVE-2016-8655, CVE-2016-9793HighYes
Elevation of privilege vulnerability in Qualcomm input hardware driverCVE-2017-0516HighYes
Elevation of privilege vulnerability in MediaTek Hardware Sensor DriverCVE-2017-0517HighNo*
Elevation of privilege vulnerability in Qualcomm ADSPRPC driverCVE-2017-0457HighYes
Elevation of privilege vulnerability in Qualcomm fingerprint sensor driverCVE-2017-0518, CVE-2017-0519HighYes
Elevation of privilege vulnerability in Qualcomm crypto engine driverCVE-2017-0520HighYes
Elevation of privilege vulnerability in Qualcomm camera driverCVE-2017-0458, CVE-2017-0521HighYes
Elevation of privilege vulnerability in MediaTek APKCVE-2017-0522HighNo*
Elevation of privilege vulnerability in Qualcomm Wi-Fi driverCVE-2017-0464, CVE-2017-0453, CVE-2017-0523HighYes
Elevation of privilege vulnerability in Synaptics touchscreen driverCVE-2017-0524HighYes
Elevation of privilege vulnerability in Qualcomm IPA driverCVE-2017-0456, CVE-2017-0525HighYes
Elevation of privilege vulnerability in HTC Sensor Hub DriverCVE-2017-0526, CVE-2017-0527HighYes
Elevation of privilege vulnerability in NVIDIA GPU driverCVE-2017-0307HighNo*
Elevation of privilege vulnerability in Qualcomm networking driverCVE-2017-0463, CVE-2017-0460HighYes
Elevation of privilege vulnerability in kernel security subsystemCVE-2017-0528HighYes
Elevation of privilege vulnerability in Qualcomm SPCom driverCVE-2016-5856, CVE-2016-5857HighNo*
Information disclosure vulnerability in kernel networking subsystemCVE-2014-8709HighYes
Information disclosure vulnerability in MediaTek driverCVE-2017-0529HighNo*
Information disclosure vulnerability in Qualcomm bootloaderCVE-2017-0455HighYes
Information disclosure vulnerability in Qualcomm power driverCVE-2016-8483HighYes
Information disclosure vulnerability in NVIDIA GPU driverCVE-2017-0334, CVE-2017-0336HighYes
Denial of service vulnerability in kernel cryptographic subsystemCVE-2016-8650HighYes
Elevation of privilege vulnerability in Qualcomm camera driver (device specific)CVE-2016-8417ModerateYes
Information disclosure vulnerability in Qualcomm Wi-Fi driverCVE-2017-0461, CVE-2017-0459, CVE-2017-0531ModerateYes
Information disclosure vulnerability in MediaTek video codec driverCVE-2017-0532ModerateNo*
Information disclosure vulnerability in Qualcomm video driverCVE-2017-0533, CVE-2017-0534, CVE-2016-8416, CVE-2016-8478ModerateYes
Information disclosure vulnerability in Qualcomm camera driverCVE-2016-8413, CVE-2016-8477ModerateYes
Information disclosure vulnerability in HTC sound codec driverCVE-2017-0535ModerateYes
Information disclosure vulnerability in Synaptics touchscreen driverCVE-2017-0536ModerateYes
Information disclosure vulnerability in kernel USB gadget driverCVE-2017-0537ModerateYes
Information disclosure vulnerability in Qualcomm camera driverCVE-2017-0452LowYes

 

Android and Google Service Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections, such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team actively monitors for abuse with Verify Apps and SafetyNet, which are designed to warn users about Potentially Harmful Applications. Verify Apps is enabled by default on devices with Google Mobile Services and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.

Full details of the March 2017 Android Security Bulletin is available here.