SB2017090507 - Multiple vulnerabilities in Google Android

Main Vulnerability Database SB2017090507

SB2017090507 - Multiple vulnerabilities in Google Android

Published: September 5, 2017 Updated: September 8, 2017

Security Bulletin ID SB2017090507

Severity

High

Patch available

YES

Number of vulnerabilities 28

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 28 secuirty vulnerabilities.

1) Privilege escalation (CVE-ID: CVE-2017-0752)

The vulnerability allows a local attacker to gain elevated privileges.

The weakness exists due to improper validation of user-supplied input. A local attacker can provide a specially crafted application to gain elevated privileges and execute arbitrary code on the device.

2) Improper input validation (CVE-ID: CVE-2017-0753)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

3) Improper input validation (CVE-ID: CVE-2017-6983)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

4) Privilege escalation (CVE-ID: CVE-2017-0755)

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file to escalate privileges.

5) Improper input validation (CVE-ID: CVE-2017-0756)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

6) Improper input validation (CVE-ID: CVE-2017-0757)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

7) Improper input validation (CVE-ID: CVE-2017-0758)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

8) Improper input validation (CVE-ID: CVE-2017-0759)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

9) Improper input validation (CVE-ID: CVE-2017-0760)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

10) Improper input validation (CVE-ID: CVE-2017-0761)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

11) Improper input validation (CVE-ID: CVE-2017-0762)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

12) Improper input validation (CVE-ID: CVE-2017-0763)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

13) Improper input validation (CVE-ID: CVE-2017-0764)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

14) Improper input validation (CVE-ID: CVE-2017-0765)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

15) Improper input validation (CVE-ID: CVE-2017-0766)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and execute arbitrary code on the device.

16) Privilege escalation (CVE-ID: CVE-2017-0767)

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file to escalate privileges.

17) Privilege escalation (CVE-ID: CVE-2017-0768)

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file to escalate privileges.

18) Improper input validation (CVE-ID: CVE-2017-0771)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and cause the device to crash.

19) Improper input validation (CVE-ID: CVE-2017-0772)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and cause the device to crash.

20) Improper input validation (CVE-ID: CVE-2017-0773)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and cause the device to crash.

21) Improper input validation (CVE-ID: CVE-2017-0774)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and cause the device to crash.

22) Improper input validation (CVE-ID: CVE-2017-0775)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and cause the device to crash.

23) Improper input validation (CVE-ID: CVE-2017-0776)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and gain access to arbitrary files or cause the device to crash.

24) Improper input validation (CVE-ID: CVE-2017-0777)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and gain access to arbitrary files or cause the device to crash.

25) Improper input validation (CVE-ID: CVE-2017-0778)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and gain access to arbitrary files or cause the device to crash.

26) Information disclosure (CVE-ID: CVE-2017-0779)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and gain access to arbitrary files.

27) Improper input validation (CVE-ID: CVE-2017-0780)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted file and cause the messages app to crash.

28) Privilege escalation (CVE-ID: CVE-2017-0784)

The vulnerability allows a local attacker to bypass security restrictions and gain elevated privileges.

The weakness exists due to improper validation of user-supplied input. A local attacker can provide a specially crafted application to bypass user interaction requirements in order to gain access to arbitrary data.

Remediation

Install update from vendor's website.

References

https://source.android.com/security/bulletin/2017-09-01