-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0277
                Android Security Bulletin for November 2018
                              6 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Android devices
Operating System:     Android
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-11996 CVE-2018-11995 CVE-2018-11994
                      CVE-2018-11905 CVE-2018-11269 CVE-2018-11264
                      CVE-2018-9545 CVE-2018-9544 CVE-2018-9543
                      CVE-2018-9542 CVE-2018-9541 CVE-2018-9540
                      CVE-2018-9539 CVE-2018-9537 CVE-2018-9536
                      CVE-2018-9531 CVE-2018-9527 CVE-2018-9526
                      CVE-2018-9525 CVE-2018-9524 CVE-2018-9523
                      CVE-2018-9522 CVE-2018-9521 CVE-2018-9457
                      CVE-2018-9347 CVE-2018-5917 CVE-2018-5916
                      CVE-2018-5912 CVE-2018-5877 CVE-2018-5870
                      CVE-2017-18318 CVE-2017-18317 CVE-2017-18316
                      CVE-2017-18315 CVE-2017-15818 CVE-2016-10502
Member content until: Thursday, December  6 2018

OVERVIEW

        Multiple security vulnerabilities have been identified in the Android
        operating system prior to the 2018-11-05 patch level. [1]


IMPACT

        Google has provided the following information about these
        vulnerabilities:
        
        "Framework
        
        The most severe vulnerability in this section could enable a local malicious
        application to execute arbitrary code within the context of a privileged
        process.
        
             CVE      References  Type Severity    Updated AOSP versions
        CVE-2018-9522 A-112550251 EoP  High     9
        CVE-2018-9524 A-34170870  EoP  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1
        CVE-2018-9525 A-111330641 EoP  High     9
        
        Media framework
        
        The most severe vulnerability in this section could enable a remote attacker
        using a specially crafted file to execute arbitrary code within the context of
        a privileged process.
        
             CVE      References  Type Severity     Updated AOSP versions
        CVE-2018-9527 A-112159345 RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9531 A-112661641 RCE  Critical 9
        CVE-2018-9536 A-112662184 EoP  Critical 9
        CVE-2018-9537 A-112891564 EoP  Critical 9
        CVE-2018-9521 A-111874331 RCE  High     9
        CVE-2018-9539 A-113027383 EoP  High     8.0, 8.1, 9
        
        System
        
        The most severe vulnerability in this section could enable a remote attacker to
        access data normally accessible only to locally installed applications with
        permissions.
        
             CVE      References  Type Severity     Updated AOSP versions
        CVE-2018-9540 A-111450417 ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9542 A-111896861 ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9543 A-112868088 ID   High     9
        CVE-2018-9544 A-113037220 ID   High     9
        CVE-2018-9545 A-113111784 ID   High     9
        CVE-2018-9541 A-111450531 ID   Moderate 9
                                  ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1
        
        Update: Media framework
        
             CVE      References Type Severity     Updated AOSP versions
        CVE-2018-9347 A-68664359 DoS  Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        
        Update: System
        
             CVE      References Type Severity Updated AOSP versions
        CVE-2018-9457 A-72872376 EoP  Moderate 8.0, 8.1, 9
        
        2018-11-05 security patch level vulnerability details
        
        In the sections below, we provide details for each of the security
        vulnerabilities that apply to the 2018-11-05 patch level. Vulnerabilities are
        grouped under the component they affect and include details such as the CVE,
        associated references, type of vulnerability, severity, component (where
        applicable), and updated AOSP versions (where applicable). When available, we
        link the public change that addressed the issue to the bug ID, such as the AOSP
        change list. When multiple changes relate to a single bug, additional
        references are linked to numbers following the bug ID.
        
        Framework
        
        The most severe vulnerability in this section could enable a local malicious
        application to execute arbitrary code within the context of a privileged
        process.
        
             CVE      References  Type Severity     Updated AOSP versions
        CVE-2018-9523 A-112859604 EoP  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-9526 A-112159033 ID   High     9
        
        Qualcomm components
        
        The most severe vulnerability in this section could enable a local malicious
        application to execute arbitrary code within the context of a privileged
        process.
        
             CVE        References   Type Severity  Component
        CVE-2017-15818 A-68992408    N/A  High     EcoSystem
                       QC-CR#2078580
        CVE-2018-11995 A-71501677    N/A  High     Bootloader
                       QC-CR#2129639
        CVE-2018-11905 A-112277889   N/A  High     DSP_Services
                       QC-CR#2090797
        
        Qualcomm closed-source components
        
        These vulnerabilities affect Qualcomm components and are described in further
        detail in the appropriate Qualcomm AMSS security bulletin or security alert.
        The severity assessment of these issues is provided directly by Qualcomm.
        
             CVE        References  Type Severity        Component
        CVE-2017-18317 A-78244877*  N/A  Critical Closed-source component
        CVE-2018-5912  A-79420111*  N/A  Critical Closed-source component
        CVE-2018-11264 A-109677962* N/A  Critical Closed-source component
        CVE-2016-10502 A-68326808*  N/A  High     Closed-source component
        CVE-2017-18316 A-78240714*  N/A  High     Closed-source component
        CVE-2017-18318 A-78240675*  N/A  High     Closed-source component
        CVE-2017-18315 A-78241957*  N/A  High     Closed-source component
        CVE-2018-11994 A-72950294*  N/A  High     Closed-source component
        CVE-2018-11996 A-74235967*  N/A  High     Closed-source component
        CVE-2018-5870  A-77484722*  N/A  High     Closed-source component
        CVE-2018-5877  A-77484786*  N/A  High     Closed-source component
        CVE-2018-5916  A-79420492*  N/A  High     Closed-source component
        CVE-2018-5917  A-79420096*  N/A  High     Closed-source component
        CVE-2018-11269 A-109678529* N/A  High     Closed-source component" [1]


MITIGATION

        Android users are advised to update to the latest release available
        to address these vulnerabilities. [1]


REFERENCES

        [1] Android Security Bulletin - November 2018
            https://source.android.com/security/bulletin/2018-11-01.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+DPj2aOgq3Tt24GAQim0g//YLS103ZPsFYpNwW3IH4DJGqxWWSnJ3Xi
Gn0TWq0mrgFgJtu0vWLKiCYv2vhiVsNBkIrmfvJZA/eVYA5eaTt3wb2al8eMhHPQ
KYtgayh22u78bG4Rl4S/GqrHxzDZ102K4yZch3iarGBKP+gqRB9uEJUWZ1MRJmbS
WJtX6IZo3cwAULByq2kW1y8kioHVPfg8431R6njB/hVV+kGC3Qx8/Gxifqq976Qy
ndB3yjKm+JemASkSl3E5M+nfsfKiYEYzR+dzU3EjQu0deSAzkTOVCnjXkFpa6boC
hy/ASM85e7WBqM89+izQpHkubO1rxbLKyKz39wpdgo5fmoTRdLt9ldm2JjrQdGmV
PDwW6gl7VeH07ol4AKLA/gA21sJ/FQecMfvRFAQgBekvR1/Gd6JkzxEPQG2HVDSG
qOkkOHlxzLb07PUKGf+FxSkQx8Eb5NmJRDOIjOOW35GQdKjReIPIdUAZwAu+eFMh
YNhpKEG6mqz8JhbMd+xngzkb2V2CoU6Xm2AX9wIbWUs5WUYrrfAanhF1PY39Ngpu
J3A7tGH4t/nFML5gtTfN+ISOYjLiW6Eo6vI7gG5d6ZTCfHyv7kJqkMQuoGx/JiSB
1CU6wHwmSls10MXb+W3o5VA9Z+HNAroFBmW15SNeQKhzGZyzFevCfy80RO0QcjPW
jqyEB6tGXAs=
=hTVB
-----END PGP SIGNATURE-----