-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0101
                  Android security updates for April 2018
                                8 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Android devices
Operating System:     Android
Impact/Access:        Root Compromise          -- Remote/Unauthenticated      
                      Increased Privileges     -- Remote with User Interaction
                      Access Confidential Data -- Remote/Unauthenticated      
                      Unauthorised Access      -- Existing Account            
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-5850 CVE-2018-5846 CVE-2018-5845
                      CVE-2018-5841 CVE-2018-5840 CVE-2018-3580
                      CVE-2018-3578 CVE-2018-3565 CVE-2018-3562
                      CVE-2017-18154 CVE-2017-16643 CVE-2017-13315
                      CVE-2017-13314 CVE-2017-13313 CVE-2017-13312
                      CVE-2017-13311 CVE-2017-13310 CVE-2017-13309
                      CVE-2017-13077 CVE-2017-6293 CVE-2017-6289
                      CVE-2017-5754 CVE-2017-5715 
Member content until: Thursday, June  7 2018
Reference:            ASB-2018.0068
                      ESB-2018.1278
                      ESB-2018.1138
                      ESB-2018.0042.2

OVERVIEW

        Multiple vulnerabilities have been identified in Android prior to
        versions 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1. [1]


IMPACT

        Google has provided the following information about these
        vulnerabilities:
        
        "Android Security Bulletin - May 2018
        
        Published May 7, 2018
        
        The Android Security Bulletin contains details of security vulnerabilities
        affecting Android devices. Security patch levels of 2018-05-05 or later address
        all of these issues. To learn how to check a device's security patch level, see
        Check & update your Android version.
        
        Android partners are notified of all issues at least a month before
        publication. Source code patches for these issues will be released to the
        Android Open Source Project (AOSP) repository in the next 48 hours. We will
        revise this bulletin with the AOSP links when they are available.
        
        The most severe of these issues is a critical security vulnerability in Media
        framework that could enable a remote attacker using a specially crafted file to
        execute arbitrary code within the context of a privileged process. The severity
        assessment is based on the effect that exploiting the vulnerability would
        possibly have on an affected device, assuming the platform and service
        mitigations are turned off for development purposes or if successfully
        bypassed.
        
        We have had no reports of active customer exploitation or abuse of these newly
        reported issues. Refer to the Android and Google Play Protect mitigations
        section for details on the Android security platform protections and Google
        Play Protect, which improve the security of the Android platform.
        
        Note: Information on the latest over-the-air update (OTA) and firmware images
        for Google devices is available in the May 2018 Pixel/Nexus
        Security Bulletin.
        
        Android and Google service mitigations
        
        This is a summary of the mitigations provided by the Android security platform
        and service protections such as Google Play Protect. These capabilities reduce
        the likelihood that security vulnerabilities could be successfully exploited on
        Android.
        
          * Exploitation for many issues on Android is made more difficult by
            enhancements in newer versions of the Android platform. We encourage all
            users to update to the latest version of Android where possible.
          * The Android security team actively monitors for abuse through Google Play
            Protect and warns users about Potentially Harmful Applications. Google Play
            Protect is enabled by default on devices with Google Mobile Services, and
            is especially important for users who install apps from outside of Google
            Play.
        
        2018-05-01 security patch level vulnerability details
        
        In the sections below, we provide details for each of the security
        vulnerabilities that apply to the 2018-05-01 patch level. Vulnerabilities are
        grouped under the component that they affect. There is a description of the
        issue and a table with the CVE, associated references, type of vulnerability,
        severity, and updated AOSP versions (where applicable). When available, we link
        the public change that addressed the issue to the bug ID, like the AOSP change
        list. When multiple changes relate to a single bug, additional references are
        linked to numbers following the bug ID.
        
        Android runtime
        
        The most severe vulnerability in this section could enable a remote attacker to
        access data normally accessible only to locally installed applications with
        permissions.
        
             CVE       References Type Severity Updated AOSP versions
        CVE-2017-13309 A-73251618 ID   High     8.1
        
        Framework
        
        The most severe vulnerability in this section could enable a local malicious
        application to bypass user interaction requirements in order to gain access to
        additional permissions.
        
             CVE       References Type Severity          Updated AOSP versions
        CVE-2017-13310 A-71992105 EoP  High     6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
        CVE-2017-13311 A-73252178 EoP  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1
        
        Media framework
        
        The most severe vulnerability in this section could enable a local malicious
        application to bypass user interaction requirements in order to gain access to
        additional permissions.
        
             CVE       References Type Severity          Updated AOSP versions
        CVE-2017-13312 A-73085795 EoP  High     8.0
        CVE-2017-13313 A-74114680 DoS  High     6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
        
        System
        
        The most severe vulnerability in this section could enable a local malicious
        application to bypass user interaction requirements in order to gain access to
        additional permissions.
        
             CVE       References Type Severity          Updated AOSP versions
        CVE-2017-13314 A-63000005 EoP  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1
        CVE-2017-13315 A-70721937 EoP  High     6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
        
        2018-05-05 security patch level vulnerability details
        
        In the sections below, we provide details for each of the security
        vulnerabilities that apply to the 2018-05-05 patch level. Vulnerabilities are
        grouped under the component that they affect and include details such as the
        CVE, associated references, type of vulnerability, severity, component (where
        applicable), and updated AOSP versions (where applicable). When available, we
        link the public change that addressed the issue to the bug ID, like the AOSP
        change list. When multiple changes relate to a single bug, additional
        references are linked to numbers following the bug ID.
        
        Kernel components
        
        The most severe vulnerability in this section could enable a local malicious
        application to bypass operating system protections that isolate application
        data from other applications.
        
             CVE         References    Type Severity   Component
        CVE-2017-16643 A-69916367      ID   High     USB driver
                       Upstream kernel
        CVE-2017-5754  A-69856074*     ID   High     Memory mapping
        
        NVIDIA components
        
        The most severe vulnerability in this section could enable a local malicious
        application to execute arbitrary code within the context of the TEE.
        
             CVE      References  Type Severity     Component
        CVE-2017-6289 A-72830049* EoP  Critical TEE
        CVE-2017-5715 A-71686116* ID   High     TLK
        CVE-2017-6293 A-69377364* EoP  High     NVIDIA Tegra X1 TZ
        
        Qualcomm components
        
        The most severe vulnerability in this section could enable a proximate attacker
        using a specially crafted file to execute arbitrary code within the context of
        a privileged process.
        
             CVE          References     Type Severity            Component
        CVE-2018-3580  A-72957507        RCE  Critical WLAN
                       QC-CR#2149187
        CVE-2018-5841  A-72957293        EoP  High     DCC
                       QC-CR#2073502
        CVE-2018-5850  A-72957135        EoP  High     WLAN
                       QC-CR#2141458
        CVE-2018-5846  A-71501683        EoP  High     Radio internet packet
                       QC-CR#2120063                   accelerator
        CVE-2018-5845  A-71501680        EoP  High     GPU
                       QC-CR#2119081
        CVE-2018-5840  A-71501678        EoP  High     GPU
                       QC-CR#2052024
        CVE-2017-18154 A-62872238*       EoP  High     Libgralloc
                       QC-CR#2109325
        CVE-2018-3578  A-72956999        EoP  High     WLAN
                       QC-CR#2145573
        CVE-2018-3565  A-72957234        EoP  High     WLAN
                       QC-CR#2138555
        CVE-2017-13077 A-77481464*       EoP  High     WLAN
        CVE-2018-3562  A-72957526        DoS  High     WLAN
                       QC-CR#2147955 [2]
        
        Common questions and answers
        
        This section answers common questions that may occur after reading this
        bulletin.
        
        1. How do I determine if my device is updated to address these issues?
        
        To learn how to check a device's security patch level, see Check and update
        your Android version.
        
          * Security patch levels of 2018-05-01 or later address all issues associated
            with the 2018-05-01 security patch level.
          * Security patch levels of 2018-05-05 or later address all issues associated
            with the 2018-05-05 security patch level and all previous patch levels.
        
        Device manufacturers that include these updates should set the patch string
        level to:
        
          * [ro.build.version.security_patch]:[2018-05-01]
          * [ro.build.version.security_patch]:[2018-05-05]
        
        2. Why does this bulletin have two security patch levels?
        
        This bulletin has two security patch levels so that Android partners have the
        flexibility to fix a subset of vulnerabilities that are similar across all
        Android devices more quickly. Android partners are encouraged to fix all issues
        in this bulletin and use the latest security patch level.
        
          * Devices that use the 2018-05-01 security patch level must include all
            issues associated with that security patch level, as well as fixes for all
            issues reported in previous security bulletins.
          * Devices that use the security patch level of 2018-05-05 or newer must
            include all applicable patches in this (and previous) security bulletins.
        
        Partners are encouraged to bundle the fixes for all issues they are addressing
        in a single update.
        
        3. What do the entries in the Type column mean?
        
        Entries in the Type column of the vulnerability details table reference the
        classification of the security vulnerability.
        
        Abbreviation          Definition
        RCE          Remote code execution
        EoP          Elevation of privilege
        ID           Information disclosure
        DoS          Denial of service
        N/A          Classification not available
        
        4. What do the entries in the References column mean?
        
        Entries under the References column of the vulnerability details table may
        contain a prefix identifying the organization to which the reference value
        belongs.
        
        Prefix         Reference
        A-     Android bug ID
        QC-    Qualcomm reference number
        M-     MediaTek reference number
        N-     NVIDIA reference number
        B-     Broadcom reference number
        
        5. What does a * next to the Android bug ID in the References column mean?
        
        Issues that are not publicly available have a * next to the Android bug ID in
        the References column. The update for that issue is generally contained in the
        latest binary drivers for Nexus devices available from the Google Developer
        site.
        
        6. Why are security vulnerabilities split between this bulletin and device/
        partner security bulletins, such as the Pixel/Nexus bulletin?
        
        Security vulnerabilities that are documented in this security bulletin are
        required in order to declare the latest security patch level on Android
        devices. Additional security vulnerabilities that are documented in the device
        /partner security bulletins are not required for declaring a
        security patch level. Android device and chipset manufacturers are encouraged
        to document the presence of other fixes on their devices through their own
        security websites, such as the Samsung, LGE, or Pixel/;Nexus
        security bulletins.
        
        Versions
        
        Version    Date            Notes
        1.0     May 7, 2018 Bulletin published.
        
        Except as otherwise noted, the content of this page is licensed under the
        Creative Commons Attribution 3.0 License, and code samples are licensed under
        the Apache 2.0 License. For details, see our Site Policies. Java is a
        registered trademark of Oracle and/or its affiliates.
        
        Last updated May 7, 2018." [1]


MITIGATION

        Android users are advised to update to the latest versions to 
        address these issues. [1]


REFERENCES

        [1] Android Security Bulletin - May 2018
            https://source.android.com/security/bulletin/2018-05-01

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvE6cYx+lLeg9Ub1AQg13A/+JMec+yVyGgD6yC416uPr4rLh+c0QaqF1
BpjVsD1dilLOmltwtjQOHimcX/iR2/gcb+T5IyUUIlDqG5tHKBQs22NRdgFxDmyz
XOCu0rR061cDk1ZRsWOKDqYyiTPLhWlmSpOdcy0ALdpEFMBxTRM3LLC9tzzi95Sx
li5+Ojep1X41fZG0IaMyxt5eNU1jgZYwTD9ckiz9HOtB9b9gwLS7W8rYMZHWxH7O
tDVerRLOr0r8TeGjfm/Gzqk/JcrFaUGYoEhs4ZKLwiaqUNAVDL9NcS1edtUjyqYv
YnCHK34793kcM12CpQ4pvOBRLwZgS3BcsH109MDc1Gbz68GjzkdFOuY4fb9KE4q9
tDy1l1WYWSxif6KyB7Gj3wLgvgsQgYKZtjLc0VTNWlDfr6WNUbLBm24V1QWKJSaH
NRDW80AMGWUi16F0h1MjBdLMHcvxtIkyN0+YQ7pfnF/Lv85/FrLI3As1xb6I1U1P
qgRUvjO90zG4DZtMFcE+GtyqfRT5Z8hYcq7Um3ivgg8S451go0pJfErbJnxqwdOU
9ykFx1ljojPyHvfOTsFK17gcYzwhGiZ5TDUbG2/0QCcQzp7fN8RW4mRMB0HiJUU+
qzSc87dvNb7u7DrHA83aVvlvV+Tlp9IfZMJMqaBMWDUkqYacVWdYNicl4uPmnx9A
NNM+XulUjXU=
=9PYu
-----END PGP SIGNATURE-----