Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-073
Date(s) Issued: 
Tuesday, August 8, 2017
Subject: 
Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Systems Affected: 
  • Android OS builds utilizing Security Patch Levels prior to August 5, 2017
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Google Android OS is prone to multiple vulnerabilities, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

  • An arbitrary code execution vulnerability exist in Framework. (CVE-2017-0712)
  • An arbitrary code execution vulnerability exist in Libraries. (CVE-2017-0713)
  • Multiple arbitrary code execution vulnerabilities exist in Media framework (CVE-2017-0714, CVE-2017-0715, CVE-2017-0716, CVE-2017-0718, CVE-2017-0719, CVE-2017-0720, CVE-2017-0721, CVE-2017-0722, CVE-2017-0723, CVE-2017-0745, CVE-2017-0724, CVE-2017-0725, CVE-2017-0726, CVE-2017-0727, CVE-2017-0728, CVE-2017-0729, CVE-2017-0730, CVE-2017-0731, CVE-2017-0732, CVE-2017-0733, CVE-2017-0734, CVE-2017-0735, CVE-2017-0736, CVE-2017-0737, CVE-2017-0738, CVE-2017-0739)
  • An arbitrary code execution vulnerability in Broadcom components. (CVE-2017-0740)
  • Multiple arbitrary code execution vulnerabilities exist in Kernel components. (CVE-2017-10661, CVE-2017-0750, CVE-2017-10662, CVE-2017-10663, CVE-2017-0749)
  • Multiple arbitrary code execution vulnerabilities exist in MediaTek components. (CVE-2017-0741, CVE-2017-0742)
  • Multiple arbitrary code execution vulnerabilities exist in Qualcomm components. (CVE-2017-0746, CVE-2017-0747, CVE-2017-9678, CVE-2017-9691, CVE-2017-9684, CVE-2017-9682)
  • Multiple unspecified vulnerabilities exist in Google device updates. (CVE-2017-0744, CVE-2017-9679, CVE-2017-9680, CVE-2017-0748, CVE-2017-9681, CVE-2017-9693, CVE-2017-9694, CVE-2017-0751, CVE-2017-9692) 

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • After appropriate testing, immediately apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems.
  • Remind users to only download apps only from trusted vendors in the Play Store.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources.
References: 

 

Android:

https://source.android.com/security/bulletin/2017-08-01

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0712

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0713

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0714

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0715

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0716

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0718

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0719

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0720

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0721

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0722

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0723

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0724

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0725

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0726

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0727

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0728

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0729

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0730

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0731

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0732

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0733

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0734

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0735

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0736

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0737

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0738

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0739

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0740

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0741

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0742

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0744

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0745

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0746

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0747

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0748

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0749

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0750

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0751

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9678

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9679

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9680

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9681

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9682

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9684

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9691

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9692 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9693

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9694

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10661

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10662

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10663