SB2018010101 - Multiple vulnerabilities in Google Android
Published: January 1, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 21 vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2017-13183)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to insufficient privileges controls. A local attacker can use a specially crafted application, trigger an error in The Media framework component, gain system privileges and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
2) Remote code execution (CVE-ID: CVE-2017-13208)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in System components. A remote attacker can send a specially crafted file and execute arbitrary code with elevated privileges.
3) Privilege escalation (CVE-ID: CVE-2017-13210)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in System components. A remote attacker can gain system privileges and perform further attacks.
4) Privilege escalation (CVE-ID: CVE-2017-13209)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in System components. A remote attacker can gain system privileges and perform further attacks.
5) Denial of service (CVE-ID: CVE-2017-13211)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in System components and cause the service to crash.
6) Denial of service (CVE-ID: CVE-2017-13199)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
7) Denial of service (CVE-ID: CVE-2017-13197)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
8) Denial of service (CVE-ID: CVE-2017-13196)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
9) Denial of service (CVE-ID: CVE-2017-13195)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
10) Denial of service (CVE-ID: CVE-2017-13193)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
11) Denial of service (CVE-ID: CVE-2017-13192)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
12) Denial of service (CVE-ID: CVE-2017-13191)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
13) Denial of service (CVE-ID: CVE-2017-0855)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause DoS condition on the target system on the target system.
The weakness exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted file, trigger an error in the Media framework component and cause the service to crash.
14) Privilege escalation (CVE-ID: CVE-2017-13184)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in the Media framework component. A remote attacker can gain system privileges and perform further attacks.
15) Privilege escalation (CVE-ID: CVE-2017-13182)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in the Media framework component. A remote attacker can gain system privileges and perform further attacks.
16) Privilege escalation (CVE-ID: CVE-2017-13181)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in the Media framework component. A remote attacker can gain system privileges and perform further attacks.
17) Privilege escalation (CVE-ID: CVE-2017-13180)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in the Media framework component. A remote attacker can gain system privileges and perform further attacks.
18) Remote code execution (CVE-ID: CVE-2017-13179)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in the Media framework component. A remote attacker can send a specially crafted file and execute arbitrary code with elevated privileges.
19) Remote code execution (CVE-ID: CVE-2017-13178)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in the Media framework component. A remote attacker can send a specially crafted file and execute arbitrary code with elevated privileges.
20) Remote code execution (CVE-ID: CVE-2017-13177)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in Media framework component. A remote attacker can send a specially crafted file and execute arbitrary code with elevated privileges.
21) Privilege escalation (CVE-ID: CVE-2017-13176)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to an error in the Android runtime component. A remote attacker can gain system privileges and perform further attacks.
Remediation
Install update from vendor's website.