Pierluigi Paganini
November 08, 2017
Google released the Android Security Bulletin—November 2017 that address 31 vulnerabilities, 9 of which are critical remote code execution flaws.
The Android Security Bulletin includes three different security patch levels.
“Android partners were notified of all issues in the 2017-11-01 and 2017-11-05 patch levels at least a month before publication. Android partners were notified of all issues in the 2017-11-06 patch level within the last month. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.” states the Android Security Bulletin—November 2017.
The 2017-11-01 security patch level addresses 11 issues, 6 of which are Critical RCE, 3 High severity elevation of privilege bugs, and 2 High severity information disclosure vulnerabilities.
The largest number of vulnerabilities affects the Media framework, the security patchers addressed 7 issues.
| CVE | References | Type | Severity | Updated AOSP versions |
|---|---|---|---|---|
| CVE-2017-0832 | A-62887820 | RCE | Critical | 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 |
| CVE-2017-0833 | A-62896384 | RCE | Critical | 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 |
| CVE-2017-0834 | A-63125953 | RCE | Critical | 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 |
| CVE-2017-0835 | A-63316832 | RCE | Critical | 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 |
| CVE-2017-0836 | A-64893226 | RCE | Critical | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 |
| CVE-2017-0839 | A-64478003 | ID | High | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 |
| CVE-2017-0840 | A-62948670 | ID | High | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0 |
The 2017-11-05 security patch level addressed 11 vulnerabilities, including 3 Critical RCE vulnerabilities, 7 High risk elevation of privilege bugs, and 1 High severity information disclosure. Qualcomm components were most impacted, the bulletin addressed 7 issues, one of the vulnerabilities could be exploited by a remote attacker to execute arbitrary code within the context of a privileged process.
| CVE | References | Type | Severity | Component |
|---|---|---|---|---|
| CVE-2017-11013 | A-64453535 QC-CR#2058261 [2] |
RCE | Critical | WLAN |
| CVE-2017-11015 | A-64438728 QC-CR#2060959 [2] |
RCE | Critical | WLAN |
| CVE-2017-11014 | A-64438727 QC-CR#2060959 |
RCE | Critical | WLAN |
| CVE-2017-11092 | A-62949902* QC-CR#2077454 |
EoP | High | GPU driver |
| CVE-2017-9690 | A-36575870* QC-CR#2045285 |
EoP | High | QBT1000 driver |
| CVE-2017-11017 | A-64453575 QC-CR#2055629 |
EoP | High | Linux boot |
| CVE-2017-11028 | A-64453533 QC-CR#2008683 [2] |
ID | High | Camera |
The 2017-11-06 security patch level addresses 9 vulnerabilities related to the KRACK attack.
Starting in October 2017, Google began releasing a separate security bulletin for Nexus and Pixel devices.
The Pixel / Nexus Security Bulletin—November 2017 includes patches for over 50 bugs affecting components such as Framework, Media framework, Runtime, System, and Kernel, MediaTek, NVIDIA, and Qualcomm components.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Android, Android Security Bulletin—November 2017)
[adrotate banner=”5″]
[adrotate banner=”13″]
