CVE-2017-0415 Google CVE debrief

Who should care

Android device owners and administrators on affected versions, OEM and platform security teams, mobile app security teams, and incident responders tracking privilege-escalation risk on managed fleets.

Technical summary

NVD scores this issue CVSS 3.0 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is described as an elevation of privilege in Mediaserver that can let a local malicious app execute arbitrary code in a privileged process. The corpus does not provide a more specific CWE than NVD-CWE-noinfo, so the exact flaw mechanism is not identified here.

Defensive priority

High. Patch and verify affected Android devices promptly because the issue can move a local app into a privileged execution context, with high impact to confidentiality, integrity, and availability.

Recommended defensive actions

• Apply the Android security update referenced in the 2017-02-01 Android Security Bulletin and deploy vendor OTA/security patches.
• Verify patch levels across managed Android fleets and prioritize devices running the affected releases.
• Retire, isolate, or tightly control devices that cannot receive the fix.
• Restrict installation of untrusted apps and monitor managed devices for suspicious local application activity.
• Use mobile device management controls to enforce compliance and confirm receipt of security updates.

Evidence notes

The supplied CVE description says the issue is in Mediaserver and affects Android 6.0, 6.0.1, 7.0, and 7.1.1. NVD lists the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and links the Android Security Bulletin dated 2017-02-01. NVD CPE criteria also includes Android 7.1.0 in addition to 7.1.1.

Official resources