#VU39839 Input validation error in Google Android - CVE-2017-0393

Cybersecurity Help s.r.o.

Published: 2017-01-12 | Updated: 2020-08-09

Vulnerability identifier: #VU39839

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-0393

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Google Android
Operating systems & Components / Operating system

Vendor: Google

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A denial of service vulnerability in libvpx in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1. Android ID: A-30436808.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Google Android: 4.0 - 4.4.4, 5.0 - 5.1.1, 6.0 - 6.0.1, 7.0 - 7.1.0

External links
https://www.securityfocus.com/bid/95230
https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc
https://source.android.com/security/bulletin/2017-01-01.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 7 update for libvpx

Input validation error in Google, Google Android