Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0145
July 2018 updates for Android
3 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Android devices
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Unknown/Unspecified
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2018-11259 CVE-2018-11258 CVE-2018-11257
CVE-2018-9433 CVE-2018-9432 CVE-2018-9428
CVE-2018-9424 CVE-2018-9422 CVE-2018-9421
CVE-2018-9420 CVE-2018-9419 CVE-2018-9417
CVE-2018-9412 CVE-2018-9411 CVE-2018-9410
CVE-2018-9365 CVE-2018-6927 CVE-2018-5882
CVE-2018-5878 CVE-2018-5876 CVE-2018-5875
CVE-2018-5874 CVE-2018-5873 CVE-2018-5872
CVE-2018-5855 CVE-2018-5838 CVE-2018-5837
CVE-2018-5703 CVE-2018-3586 CVE-2017-18279
CVE-2017-18278 CVE-2017-18277 CVE-2017-18276
CVE-2017-18275 CVE-2017-18274 CVE-2017-18173
CVE-2017-18172 CVE-2017-18171 CVE-2017-18170
CVE-2017-18131 CVE-2017-15841 CVE-2017-13078
CVE-2017-13077 CVE-2016-2108
Member content until: Thursday, August 2 2018
OVERVIEW
Multiple security vulnerabilities have been identified in the
Android operating system prior to the 2018-07-02 patch level. [1]
IMPACT
Google has provided the following information about these
vulnerabilities:
"Framework
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted pac file to execute arbitrary code within the context
of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2018-9433 A-38196219 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2
CVE-2018-9410 A-77822336 ID High 8.0, 8.1
Media framework
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2018-9411 A-79376389 RCE Critical 8.0, 8.1
CVE-2018-9424 A-76221123 EoP High 8.0, 8.1
CVE-2018-9428 A-74122779 EoP High 8.1
CVE-2018-9412 A-78029004 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
CVE-2018-9421 A-77237570 ID High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
System
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2018-9365 A-74121126 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
CVE-2018-9432 A-73173182 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
CVE-2018-9420 A-77238656 ID High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1
CVE-2018-9419 A-74121659 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1
2018-07-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2018-07-05 patch level. Vulnerabilities are
grouped under the component that they affect and include details such as the
CVE, associated references, type of vulnerability, severity, component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, like the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
Kernel components
The most severe vulnerability in this section could enable a local malicious
application to execute arbitrary code within the context of a privileged
process.
CVE References Type Severity Component
CVE-2018-5703 A-73543437 EoP High IPV6 stack
Upstream kernel
CVE-2018-9422 A-74250718 EoP High futex
Upstream kernel
CVE-2018-9417 A-74447444* EoP High USB driver
Upstream kernel*
CVE-2018-6927 A-76106267 EoP High futex
Upstream kernel
Qualcomm components
The most severe vulnerability in this section could enable a proximate attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Component
CVE-2018-5872 A-77528138 RCE Critical WLAN
QC-CR#2183014
CVE-2018-5855 A-77527719 ID High WLAN
QC-CR#2181685
CVE-2017-13077, CVE-2017-13078 A-78285557 ID High WLAN
QC-CR#2133114
CVE-2018-5873 A-77528487 EoP High nsfs
QC-CR#2166382
CVE-2018-5838 A-63146462* EoP High OpenGL ES driver
QC-CR#2151011
A-63165135*
CVE-2018-3586 QC-CR#2139538 RCE High ADSPRPC heap manager
QC-CR#2073777
Qualcomm closed-source components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm AMSS security bulletin or security alert.
The severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2017-18171 A-78240792* N/A Critical Closed-source component
CVE-2017-18277 A-78240715* N/A High Closed-source component
CVE-2017-18172 A-78240449* N/A High Closed-source component
CVE-2017-18170 A-78240612* N/A High Closed-source component
CVE-2017-15841 A-78240794* N/A High Closed-source component
CVE-2017-18173 A-78240199* N/A High Closed-source component
CVE-2017-18278 A-78240071* N/A High Closed-source component
CVE-2016-2108 A-78240736* N/A Critical Closed-source component
CVE-2017-18275 A-78242049* N/A High Closed-source component
CVE-2017-18279 A-78241971* N/A High Closed-source component
CVE-2017-18274 A-78241834* N/A High Closed-source component
CVE-2017-18276 A-78241375* N/A High Closed-source component
CVE-2017-18131 A-68989823* N/A High Closed-source component
CVE-2018-11259 A-72951265* N/A Critical Closed-source component
CVE-2018-11258 A-72951054* N/A High Closed-source component
CVE-2018-11257 A-74235874* N/A Critical Closed-source component
CVE-2018-5837 A-74236406* N/A High Closed-source component
CVE-2018-5876 A-77485022* N/A Critical Closed-source component
CVE-2018-5875 A-77485183* N/A Critical Closed-source component
CVE-2018-5874 A-77485139* N/A Critical Closed-source component
CVE-2018-5882 A-77483830* N/A High Closed-source component
CVE-2018-5878 A-77484449* N/A High Closed-source component" [1]
MITIGATION
Android users are advised to update to the latest applicable version
to address these vulnerabilities. [1]
Google advises that they have had no reports of active customer
exploitation or abuse of these newly-reported issues. [1]
REFERENCES
[1] Android Security Bulletin - July 2018
https://source.android.com/security/bulletin/2018-07-01
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWzrRYWaOgq3Tt24GAQjiew/9EnXWndQa46NjPmR8gejx92xDHZpuDWci
qR0OZJ9x6ySAfi8MS8b+/UJt973IwSlqt5o39NS+AjuKLrLYB06Tanm/F3KrtohI
BSrkqkk/0Xi0sDROBtRIgLDohISNI8bDtJ0cbl1ik27SsqxXwL+MZNvagOwAdYus
8zqW6V2DTyrE66bi6MHduyN8PG7nVy3f4NwXGztSM9AfTywQMGbIoWb1EOTWROsa
vrSkJAc+wTR2pyQXMH4MlrzcBBlvHHousZnYjP0hWJQ+BiYrzqF+PJ/Tii86Rh3z
rmI7bZNaltDzJb+rPv61OfddoMuNKfDp1/rFextIDW5gtoMFgAplm/g7ZCayp9wc
advUVVe/j3Ayp0wCixhdLTsddA+52Fwoo3Tb+nQTP4kxj8iBbi0qcva5xkWYieH8
eahnmYASJNk3KMUJ+2y0Y+JqHCUc0BOiuiEqn+tJHolkWHbBHNoPyffYPt7Lr8DL
encOmeAmklf21GDuJj0lrG8vLebLL3vkC6WFrT7RfJ3tIAFc3Pk5cSvV/rjsNr9m
aZkNW2mHLOyU1yEvdo9Rj16F1jay3Oco2IFCWc0CtpcP31SSe6Nob456YudmUTiI
Y/JCGN6JTSiznUtvo3IIpqeblB2NZ2Nw4zhS3DH0x165bjb6UcfMIdSahJbzAw3A
WUxb8bRnYG4=
=RYzf
-----END PGP SIGNATURE-----