Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0101
Android security updates for April 2018
8 May 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Android devices
Operating System: Android
Impact/Access: Root Compromise -- Remote/Unauthenticated
Increased Privileges -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-5850 CVE-2018-5846 CVE-2018-5845
CVE-2018-5841 CVE-2018-5840 CVE-2018-3580
CVE-2018-3578 CVE-2018-3565 CVE-2018-3562
CVE-2017-18154 CVE-2017-16643 CVE-2017-13315
CVE-2017-13314 CVE-2017-13313 CVE-2017-13312
CVE-2017-13311 CVE-2017-13310 CVE-2017-13309
CVE-2017-13077 CVE-2017-6293 CVE-2017-6289
CVE-2017-5754 CVE-2017-5715
Member content until: Thursday, June 7 2018
Reference: ASB-2018.0068
ESB-2018.1278
ESB-2018.1138
ESB-2018.0042.2
OVERVIEW
Multiple vulnerabilities have been identified in Android prior to
versions 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1. [1]
IMPACT
Google has provided the following information about these
vulnerabilities:
"Android Security Bulletin - May 2018
Published May 7, 2018
The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of 2018-05-05 or later address
all of these issues. To learn how to check a device's security patch level, see
Check & update your Android version.
Android partners are notified of all issues at least a month before
publication. Source code patches for these issues will be released to the
Android Open Source Project (AOSP) repository in the next 48 hours. We will
revise this bulletin with the AOSP links when they are available.
The most severe of these issues is a critical security vulnerability in Media
framework that could enable a remote attacker using a specially crafted file to
execute arbitrary code within the context of a privileged process. The severity
assessment is based on the effect that exploiting the vulnerability would
possibly have on an affected device, assuming the platform and service
mitigations are turned off for development purposes or if successfully
bypassed.
We have had no reports of active customer exploitation or abuse of these newly
reported issues. Refer to the Android and Google Play Protect mitigations
section for details on the Android security platform protections and Google
Play Protect, which improve the security of the Android platform.
Note: Information on the latest over-the-air update (OTA) and firmware images
for Google devices is available in the May 2018 Pixel/Nexus
Security Bulletin.
Android and Google service mitigations
This is a summary of the mitigations provided by the Android security platform
and service protections such as Google Play Protect. These capabilities reduce
the likelihood that security vulnerabilities could be successfully exploited on
Android.
* Exploitation for many issues on Android is made more difficult by
enhancements in newer versions of the Android platform. We encourage all
users to update to the latest version of Android where possible.
* The Android security team actively monitors for abuse through Google Play
Protect and warns users about Potentially Harmful Applications. Google Play
Protect is enabled by default on devices with Google Mobile Services, and
is especially important for users who install apps from outside of Google
Play.
2018-05-01 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2018-05-01 patch level. Vulnerabilities are
grouped under the component that they affect. There is a description of the
issue and a table with the CVE, associated references, type of vulnerability,
severity, and updated AOSP versions (where applicable). When available, we link
the public change that addressed the issue to the bug ID, like the AOSP change
list. When multiple changes relate to a single bug, additional references are
linked to numbers following the bug ID.
Android runtime
The most severe vulnerability in this section could enable a remote attacker to
access data normally accessible only to locally installed applications with
permissions.
CVE References Type Severity Updated AOSP versions
CVE-2017-13309 A-73251618 ID High 8.1
Framework
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2017-13310 A-71992105 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
CVE-2017-13311 A-73252178 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1
Media framework
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2017-13312 A-73085795 EoP High 8.0
CVE-2017-13313 A-74114680 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
System
The most severe vulnerability in this section could enable a local malicious
application to bypass user interaction requirements in order to gain access to
additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2017-13314 A-63000005 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1
CVE-2017-13315 A-70721937 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
2018-05-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2018-05-05 patch level. Vulnerabilities are
grouped under the component that they affect and include details such as the
CVE, associated references, type of vulnerability, severity, component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
Kernel components
The most severe vulnerability in this section could enable a local malicious
application to bypass operating system protections that isolate application
data from other applications.
CVE References Type Severity Component
CVE-2017-16643 A-69916367 ID High USB driver
Upstream kernel
CVE-2017-5754 A-69856074* ID High Memory mapping
NVIDIA components
The most severe vulnerability in this section could enable a local malicious
application to execute arbitrary code within the context of the TEE.
CVE References Type Severity Component
CVE-2017-6289 A-72830049* EoP Critical TEE
CVE-2017-5715 A-71686116* ID High TLK
CVE-2017-6293 A-69377364* EoP High NVIDIA Tegra X1 TZ
Qualcomm components
The most severe vulnerability in this section could enable a proximate attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Component
CVE-2018-3580 A-72957507 RCE Critical WLAN
QC-CR#2149187
CVE-2018-5841 A-72957293 EoP High DCC
QC-CR#2073502
CVE-2018-5850 A-72957135 EoP High WLAN
QC-CR#2141458
CVE-2018-5846 A-71501683 EoP High Radio internet packet
QC-CR#2120063 accelerator
CVE-2018-5845 A-71501680 EoP High GPU
QC-CR#2119081
CVE-2018-5840 A-71501678 EoP High GPU
QC-CR#2052024
CVE-2017-18154 A-62872238* EoP High Libgralloc
QC-CR#2109325
CVE-2018-3578 A-72956999 EoP High WLAN
QC-CR#2145573
CVE-2018-3565 A-72957234 EoP High WLAN
QC-CR#2138555
CVE-2017-13077 A-77481464* EoP High WLAN
CVE-2018-3562 A-72957526 DoS High WLAN
QC-CR#2147955 [2]
Common questions and answers
This section answers common questions that may occur after reading this
bulletin.
1. How do I determine if my device is updated to address these issues?
To learn how to check a device's security patch level, see Check and update
your Android version.
* Security patch levels of 2018-05-01 or later address all issues associated
with the 2018-05-01 security patch level.
* Security patch levels of 2018-05-05 or later address all issues associated
with the 2018-05-05 security patch level and all previous patch levels.
Device manufacturers that include these updates should set the patch string
level to:
* [ro.build.version.security_patch]:[2018-05-01]
* [ro.build.version.security_patch]:[2018-05-05]
2. Why does this bulletin have two security patch levels?
This bulletin has two security patch levels so that Android partners have the
flexibility to fix a subset of vulnerabilities that are similar across all
Android devices more quickly. Android partners are encouraged to fix all issues
in this bulletin and use the latest security patch level.
* Devices that use the 2018-05-01 security patch level must include all
issues associated with that security patch level, as well as fixes for all
issues reported in previous security bulletins.
* Devices that use the security patch level of 2018-05-05 or newer must
include all applicable patches in this (and previous) security bulletins.
Partners are encouraged to bundle the fixes for all issues they are addressing
in a single update.
3. What do the entries in the Type column mean?
Entries in the Type column of the vulnerability details table reference the
classification of the security vulnerability.
Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available
4. What do the entries in the References column mean?
Entries under the References column of the vulnerability details table may
contain a prefix identifying the organization to which the reference value
belongs.
Prefix Reference
A- Android bug ID
QC- Qualcomm reference number
M- MediaTek reference number
N- NVIDIA reference number
B- Broadcom reference number
5. What does a * next to the Android bug ID in the References column mean?
Issues that are not publicly available have a * next to the Android bug ID in
the References column. The update for that issue is generally contained in the
latest binary drivers for Nexus devices available from the Google Developer
site.
6. Why are security vulnerabilities split between this bulletin and device/
partner security bulletins, such as the Pixel/Nexus bulletin?
Security vulnerabilities that are documented in this security bulletin are
required in order to declare the latest security patch level on Android
devices. Additional security vulnerabilities that are documented in the device
/partner security bulletins are not required for declaring a
security patch level. Android device and chipset manufacturers are encouraged
to document the presence of other fixes on their devices through their own
security websites, such as the Samsung, LGE, or Pixel/;Nexus
security bulletins.
Versions
Version Date Notes
1.0 May 7, 2018 Bulletin published.
Except as otherwise noted, the content of this page is licensed under the
Creative Commons Attribution 3.0 License, and code samples are licensed under
the Apache 2.0 License. For details, see our Site Policies. Java is a
registered trademark of Oracle and/or its affiliates.
Last updated May 7, 2018." [1]
MITIGATION
Android users are advised to update to the latest versions to
address these issues. [1]
REFERENCES
[1] Android Security Bulletin - May 2018
https://source.android.com/security/bulletin/2018-05-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWvE6cYx+lLeg9Ub1AQg13A/+JMec+yVyGgD6yC416uPr4rLh+c0QaqF1
BpjVsD1dilLOmltwtjQOHimcX/iR2/gcb+T5IyUUIlDqG5tHKBQs22NRdgFxDmyz
XOCu0rR061cDk1ZRsWOKDqYyiTPLhWlmSpOdcy0ALdpEFMBxTRM3LLC9tzzi95Sx
li5+Ojep1X41fZG0IaMyxt5eNU1jgZYwTD9ckiz9HOtB9b9gwLS7W8rYMZHWxH7O
tDVerRLOr0r8TeGjfm/Gzqk/JcrFaUGYoEhs4ZKLwiaqUNAVDL9NcS1edtUjyqYv
YnCHK34793kcM12CpQ4pvOBRLwZgS3BcsH109MDc1Gbz68GjzkdFOuY4fb9KE4q9
tDy1l1WYWSxif6KyB7Gj3wLgvgsQgYKZtjLc0VTNWlDfr6WNUbLBm24V1QWKJSaH
NRDW80AMGWUi16F0h1MjBdLMHcvxtIkyN0+YQ7pfnF/Lv85/FrLI3As1xb6I1U1P
qgRUvjO90zG4DZtMFcE+GtyqfRT5Z8hYcq7Um3ivgg8S451go0pJfErbJnxqwdOU
9ykFx1ljojPyHvfOTsFK17gcYzwhGiZ5TDUbG2/0QCcQzp7fN8RW4mRMB0HiJUU+
qzSc87dvNb7u7DrHA83aVvlvV+Tlp9IfZMJMqaBMWDUkqYacVWdYNicl4uPmnx9A
NNM+XulUjXU=
=9PYu
-----END PGP SIGNATURE-----