Android Security Patch – September 2017 Update

admin
admin

Google notes it has been split in two, with 30 specific issues fixed in the September 1 dated patch, with 51 more bugs resolved in the September 5 patch.  The most critical bug was with an issue that could “enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process” on an Android device. The most severe of all issues patched included a critical vulnerability in the media framework. The newest security update patches 81 CVEs and vulnerabilities.

Thirteen of these are critical vulnerabilities coming from the Media framework, Wi-Fi driver (Broadcom components), networking subsystem (Kernel components), and LibOmxVenc (Qualcomm components). Most, if not all, of these vulnerabilities, allowed remote attacks which executed arbitrary code within the context of a privileged process. We also have around 43 high-severity vulnerabilities coming from all sectors except for the Android system itself. And the 25 remaining vulnerabilities are of moderate severity.

  • 2017-09-05: Complete security patch level string. This security patch level string indicates that all issues associated with 2017-09-01 and 2017-09-05 (and all previous security patch level strings) are addressed.

2017-09-05 security patch level—Vulnerability details

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2017-09-05 patch level. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerabilityseverity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

Broadcom components

The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-7065 A-62575138*
B-V2017061202
RCE Critical Wi-Fi driver
CVE-2017-0786 A-37351060*
B-V2017060101
EoP High Wi-Fi driver
CVE-2017-0787 A-37722970*
B-V2017053104
EoP Moderate Wi-Fi driver
CVE-2017-0788 A-37722328*
B-V2017053103
EoP Moderate Wi-Fi driver
CVE-2017-0789 A-37685267*
B-V2017053102
EoP Moderate Wi-Fi driver
CVE-2017-0790 A-37357704*
B-V2017053101
EoP Moderate Wi-Fi driver
CVE-2017-0791 A-37306719*
B-V2017052302
EoP Moderate Wi-Fi driver
CVE-2017-0792 A-37305578*
B-V2017052301
ID Moderate Wi-Fi driver

Imgtk components

The most severe vulnerability in this section could enable a local malicious application to access data outside of its permission levels.

CVE References Type Severity Component
CVE-2017-0793 A-35764946* ID High Memory subsystem

Kernel components

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-8890 A-38413975
Upstream kernel
RCE Critical Networking subsystem
CVE-2017-9076 A-62299478
Upstream kernel
EoP High Networking subsystem
CVE-2017-9150 A-62199770
Upstream kernel
ID High Linux kernel
CVE-2017-7487 A-62070688
Upstream kernel
EoP High IPX protocol driver
CVE-2017-6214 A-37901268
Upstream kernel
DoS High Networking subsystem
CVE-2017-6346 A-37897645
Upstream kernel
EoP High Linux kernel
CVE-2017-5897 A-37871211
Upstream kernel
ID High Networking subsystem
CVE-2017-7495 A-62198330
Upstream kernel
ID High File system
CVE-2017-7616 A-37751399
Upstream kernel
ID Moderate Linux kernel
CVE-2017-12146 A-35676417
Upstream kernel
EoP Moderate Linux kernel
CVE-2017-0794 A-35644812* EoP Moderate SCSI driver

MediaTek components

The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-0795 A-36198473*
M-ALPS03361480
EoP High Accessory detector driver
CVE-2017-0796 A-62458865*
M-ALPS03353884
M-ALPS03353886
M-ALPS03353887
EoP High AUXADC driver
CVE-2017-0797 A-62459766*
M-ALPS03353854
EoP High Accessory detector driver
CVE-2017-0798 A-36100671*
M-ALPS03365532
EoP High Kernel
CVE-2017-0799 A-36731602*
M-ALPS03342072
EoP High Lastbus
CVE-2017-0800 A-37683975*
M-ALPS03302988
EoP High TEEI
CVE-2017-0801 A-38447970*
M-ALPS03337980
EoP High LibMtkOmxVdec
CVE-2017-0802 A-36232120*
M-ALPS03384818
EoP Moderate Kernel
CVE-2017-0803 A-36136137*
M-ALPS03361477
EoP Moderate Accessory detector driver
CVE-2017-0804 A-36274676*
M-ALPS03361487
EoP Moderate MMC driver

Qualcomm components

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

CVE References Type Severity Component
CVE-2017-11041 A-36130225*
QC-CR#2053101
RCE Critical LibOmxVenc
CVE-2017-10996 A-38198574
QC-CR#901529
ID High Linux kernel
CVE-2017-9725 A-38195738
QC-CR#896659
EoP High Memory subsystem
CVE-2017-9724 A-38196929
QC-CR#863303
EoP High Linux kernel
CVE-2017-8278 A-62379474
QC-CR#2013236
EoP High Audio driver
CVE-2017-10999 A-36490777*
QC-CR#2010713
EoP Moderate IPA driver
CVE-2017-11001 A-36815555*
QC-CR#270292
ID Moderate Wi-Fi driver
CVE-2017-11002 A-37712167*
QC-CR#2058452 QC-CR#2054690 QC-CR#2058455
ID Moderate Wi-Fi driver
CVE-2017-8250 A-62379051
QC-CR#2003924
EoP Moderate GPU driver
CVE-2017-9677 A-62379475
QC-CR#2022953
EoP Moderate Audio driver
CVE-2017-10998 A-38195131
QC-CR#108461
EoP Moderate Audio driver
CVE-2017-9676 A-62378596
QC-CR#2016517
ID Moderate File system
CVE-2017-8280 A-62377236
QC-CR#2015858
EoP Moderate WLAN driver
CVE-2017-8251 A-62379525
QC-CR#2006015
EoP Moderate Camera driver
CVE-2017-10997 A-33039685*
QC-CR#1103077
EoP Moderate PCI driver
CVE-2017-11000 A-36136563*
QC-CR#2031677
EoP Moderate Camera driver
CVE-2017-8247 A-62378684
QC-CR#2023513
EoP Moderate Camera driver
CVE-2017-9720 A-36264696*
QC-CR#2041066
EoP Moderate Camera driver
CVE-2017-8277 A-62378788
QC-CR#2009047
EoP Moderate Video driver
CVE-2017-8281 A-62378232
QC-CR#2015892
ID Moderate Automotive multimedia
CVE-2017-11040 A-37567102*
QC-CR#2038166
ID Moderate Video driver

Google device updates

This table contains the security patch level in the latest over-the-air update (OTA) and firmware images for Google devices. The Google device OTAs may also contain additional updates. The Google device firmware images are available on the Google Developer site.

Google device Security patch level
Pixel / Pixel XL 2017-09-05
Nexus 5X 2017-09-05
Nexus 6 2017-09-05
Nexus 6P 2017-09-05
Nexus 9 2017-09-05
Nexus Player 2017-09-05
Pixel C 2017-09-05

Share this Article
Leave a comment

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.