Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0145 July 2018 updates for Android 3 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Android devices Operating System: Android Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Increased Privileges -- Remote with User Interaction Denial of Service -- Unknown/Unspecified Access Confidential Data -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2018-11259 CVE-2018-11258 CVE-2018-11257 CVE-2018-9433 CVE-2018-9432 CVE-2018-9428 CVE-2018-9424 CVE-2018-9422 CVE-2018-9421 CVE-2018-9420 CVE-2018-9419 CVE-2018-9417 CVE-2018-9412 CVE-2018-9411 CVE-2018-9410 CVE-2018-9365 CVE-2018-6927 CVE-2018-5882 CVE-2018-5878 CVE-2018-5876 CVE-2018-5875 CVE-2018-5874 CVE-2018-5873 CVE-2018-5872 CVE-2018-5855 CVE-2018-5838 CVE-2018-5837 CVE-2018-5703 CVE-2018-3586 CVE-2017-18279 CVE-2017-18278 CVE-2017-18277 CVE-2017-18276 CVE-2017-18275 CVE-2017-18274 CVE-2017-18173 CVE-2017-18172 CVE-2017-18171 CVE-2017-18170 CVE-2017-18131 CVE-2017-15841 CVE-2017-13078 CVE-2017-13077 CVE-2016-2108 Member content until: Thursday, August 2 2018 OVERVIEW Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-07-02 patch level. [1] IMPACT Google has provided the following information about these vulnerabilities: "Framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted pac file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9433 A-38196219 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 CVE-2018-9410 A-77822336 ID High 8.0, 8.1 Media framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9411 A-79376389 RCE Critical 8.0, 8.1 CVE-2018-9424 A-76221123 EoP High 8.0, 8.1 CVE-2018-9428 A-74122779 EoP High 8.1 CVE-2018-9412 A-78029004 DoS High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 CVE-2018-9421 A-77237570 ID High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 System The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9365 A-74121126 RCE Critical 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 CVE-2018-9432 A-73173182 EoP High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 CVE-2018-9420 A-77238656 ID High 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1 CVE-2018-9419 A-74121659 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1 2018-07-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2018-07-05 patch level. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Kernel components The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2018-5703 A-73543437 EoP High IPV6 stack Upstream kernel CVE-2018-9422 A-74250718 EoP High futex Upstream kernel CVE-2018-9417 A-74447444* EoP High USB driver Upstream kernel* CVE-2018-6927 A-76106267 EoP High futex Upstream kernel Qualcomm components The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2018-5872 A-77528138 RCE Critical WLAN QC-CR#2183014 CVE-2018-5855 A-77527719 ID High WLAN QC-CR#2181685 CVE-2017-13077, CVE-2017-13078 A-78285557 ID High WLAN QC-CR#2133114 CVE-2018-5873 A-77528487 EoP High nsfs QC-CR#2166382 CVE-2018-5838 A-63146462* EoP High OpenGL ES driver QC-CR#2151011 A-63165135* CVE-2018-3586 QC-CR#2139538 RCE High ADSPRPC heap manager QC-CR#2073777 Qualcomm closed-source components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm AMSS security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2017-18171 A-78240792* N/A Critical Closed-source component CVE-2017-18277 A-78240715* N/A High Closed-source component CVE-2017-18172 A-78240449* N/A High Closed-source component CVE-2017-18170 A-78240612* N/A High Closed-source component CVE-2017-15841 A-78240794* N/A High Closed-source component CVE-2017-18173 A-78240199* N/A High Closed-source component CVE-2017-18278 A-78240071* N/A High Closed-source component CVE-2016-2108 A-78240736* N/A Critical Closed-source component CVE-2017-18275 A-78242049* N/A High Closed-source component CVE-2017-18279 A-78241971* N/A High Closed-source component CVE-2017-18274 A-78241834* N/A High Closed-source component CVE-2017-18276 A-78241375* N/A High Closed-source component CVE-2017-18131 A-68989823* N/A High Closed-source component CVE-2018-11259 A-72951265* N/A Critical Closed-source component CVE-2018-11258 A-72951054* N/A High Closed-source component CVE-2018-11257 A-74235874* N/A Critical Closed-source component CVE-2018-5837 A-74236406* N/A High Closed-source component CVE-2018-5876 A-77485022* N/A Critical Closed-source component CVE-2018-5875 A-77485183* N/A Critical Closed-source component CVE-2018-5874 A-77485139* N/A Critical Closed-source component CVE-2018-5882 A-77483830* N/A High Closed-source component CVE-2018-5878 A-77484449* N/A High Closed-source component" [1] MITIGATION Android users are advised to update to the latest applicable version to address these vulnerabilities. [1] Google advises that they have had no reports of active customer exploitation or abuse of these newly-reported issues. [1] REFERENCES [1] Android Security Bulletin - July 2018 https://source.android.com/security/bulletin/2018-07-01 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWzrRYWaOgq3Tt24GAQjiew/9EnXWndQa46NjPmR8gejx92xDHZpuDWci qR0OZJ9x6ySAfi8MS8b+/UJt973IwSlqt5o39NS+AjuKLrLYB06Tanm/F3KrtohI BSrkqkk/0Xi0sDROBtRIgLDohISNI8bDtJ0cbl1ik27SsqxXwL+MZNvagOwAdYus 8zqW6V2DTyrE66bi6MHduyN8PG7nVy3f4NwXGztSM9AfTywQMGbIoWb1EOTWROsa vrSkJAc+wTR2pyQXMH4MlrzcBBlvHHousZnYjP0hWJQ+BiYrzqF+PJ/Tii86Rh3z rmI7bZNaltDzJb+rPv61OfddoMuNKfDp1/rFextIDW5gtoMFgAplm/g7ZCayp9wc advUVVe/j3Ayp0wCixhdLTsddA+52Fwoo3Tb+nQTP4kxj8iBbi0qcva5xkWYieH8 eahnmYASJNk3KMUJ+2y0Y+JqHCUc0BOiuiEqn+tJHolkWHbBHNoPyffYPt7Lr8DL encOmeAmklf21GDuJj0lrG8vLebLL3vkC6WFrT7RfJ3tIAFc3Pk5cSvV/rjsNr9m aZkNW2mHLOyU1yEvdo9Rj16F1jay3Oco2IFCWc0CtpcP31SSe6Nob456YudmUTiI Y/JCGN6JTSiznUtvo3IIpqeblB2NZ2Nw4zhS3DH0x165bjb6UcfMIdSahJbzAw3A WUxb8bRnYG4= =RYzf -----END PGP SIGNATURE-----