Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0295 Android Security Bulletin - December 2018 4 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Android devices Operating System: Android Impact/Access: Root Compromise -- Existing Account Execute Arbitrary Code/Commands -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-11999 CVE-2018-11963 CVE-2018-11961 CVE-2018-11960 CVE-2018-11922 CVE-2018-11279 CVE-2018-11267 CVE-2018-10840 CVE-2018-9568 CVE-2018-9567 CVE-2018-9566 CVE-2018-9565 CVE-2018-9562 CVE-2018-9560 CVE-2018-9559 CVE-2018-9558 CVE-2018-9557 CVE-2018-9556 CVE-2018-9555 CVE-2018-9554 CVE-2018-9553 CVE-2018-9552 CVE-2018-9551 CVE-2018-9550 CVE-2018-9549 CVE-2018-9548 CVE-2018-9547 CVE-2018-9538 CVE-2018-5915 CVE-2018-5913 CVE-2018-5869 CVE-2018-5868 CVE-2018-5867 CVE-2018-3595 CVE-2017-18332 CVE-2017-18331 CVE-2017-18330 CVE-2017-18329 CVE-2017-18328 CVE-2017-18327 CVE-2017-18326 CVE-2017-18324 CVE-2017-18323 CVE-2017-18322 CVE-2017-18321 CVE-2017-18320 CVE-2017-18319 CVE-2017-18160 CVE-2017-18141 CVE-2017-11004 CVE-2017-8276 CVE-2017-8248 CVE-2017-5754 Member content until: Thursday, January 3 2019 Reference: ASB-2018.0209 ASB-2018.0101 ASB-2018.0068 ESB-2017.1783 OVERVIEW Multiple security vulnerabilities have been identified in the Android operating system prior to the 2018-12-05 patch level. [1] IMPACT Google has provided the following information about these vulnerabilities: " Framework The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9547 A-114223584 EoP High 8.1, 9 CVE-2018-9548 A-112555574 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 Media framework The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9549 A-112160868 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9550 A-112660981 RCE Critical 9 CVE-2018-9551 A-112891548 RCE Critical 9 CVE-2018-9552 A-113260892 ID Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9553 A-116615297 RCE High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9538 A-112181526 EoP High 8.1, 9 CVE-2018-9554 A-114770654 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1 System The most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. CVE References Type Severity Updated AOSP versions CVE-2018-9555 A-112321180 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9556 A-113118184 RCE Critical 9 CVE-2018-9557 A-35385357 EoP High 7.0, 7.1.1, 7.1.2 CVE-2018-9558 A-112161557 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9559 A-112731440 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 CVE-2018-9560 A-79946737 EoP High 9 CVE-2018-9562 A-113164621 ID High 9 CVE-2018-9566 A-74249842 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9 2018-12-05 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2018-12-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. System The most severe vulnerability in this section could lead to remote information disclosure with no additional execution privileges needed. CVE References Type Severity Component CVE-2018-9565 A-16680558 ID High OMA-DM HTC components The most severe vulnerability in this section could enable a local attacker to bypass user interaction requirements in order to gain access to additional permissions. CVE References Type Severity Component CVE-2018-9567 A-65543936 EoP High Bootloader Kernel components The most severe vulnerability in this section could enable a local attacker to execute arbitrary code within the context of a privileged process. CVE References Type Severity Component CVE-2018-10840 A-116406508 EoP High ext4 filesystem Upstream kernel CVE-2018-9568 A-113509306 EoP High network Upstream kernel Qualcomm components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2018-11960 A-114042002 N/A High HWEngines QC-CR#2264832 CVE-2018-11961 A-114040881 N/A High GPS_AP_LINUX QC-CR#2261813 CVE-2018-11963 A-114041685 N/A High Automotive Multimedia QC-CR#2220770 Qualcomm closed-source components These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm. CVE References Type Severity Component CVE-2017-8248 A-78135902* N/A Critical Closed-source component CVE-2017-11004 A-66913713* N/A Critical Closed-source component CVE-2017-18141 A-67712316* N/A Critical Closed-source component CVE-2018-5913 A-79419833* N/A Critical Closed-source component CVE-2018-11279 A-109678200* N/A Critical Closed-source component CVE-2017-18319 A-78284753* N/A High Closed-source component CVE-2017-18321 A-78283451* N/A High Closed-source component CVE-2017-18322 A-78285196* N/A High Closed-source component CVE-2017-18323 A-78284194* N/A High Closed-source component CVE-2017-18324 A-78284517* N/A High Closed-source component CVE-2017-18327 A-78240177* N/A High Closed-source component CVE-2017-18331 A-78239686* N/A High Closed-source component CVE-2017-18332 A-78284545* N/A High Closed-source component CVE-2017-18160 A-109660689* N/A High Closed-source component CVE-2017-18326 A-78240324* N/A High Closed-source component CVE-2017-8276 A-68141338* N/A High Closed-source component CVE-2017-18328 A-78286046* N/A High Closed-source component CVE-2017-18329 A-73539037* N/A High Closed-source component CVE-2017-18330 A-73539235* N/A High Closed-source component CVE-2018-3595 A-71501115* N/A High Closed-source component CVE-2017-18320 A-33757308* N/A High Closed-source component CVE-2018-11999 A-74236942* N/A High Closed-source component CVE-2018-5867 A-77485184* N/A High Closed-source component CVE-2018-5868 A-77484529* N/A High Closed-source component CVE-2018-5869 A-33385206* N/A High Closed-source component CVE-2017-5754 A-79419639* N/A High Closed-source component CVE-2018-5915 A-79420511* N/A High Closed-source component CVE-2018-11267 A-109678338* N/A High Closed-source component CVE-2018-11922 A-112279564* N/A High Closed-source component" [1] MITIGATION Android users are advised to update to the latest release available to address these vulnerabilities. [1] REFERENCES [1] Android Security Bulletin - December 2018 https://source.android.com/security/bulletin/2018-12-01.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXAW9fmaOgq3Tt24GAQhDlhAAnnvMOaVkkPTPNGqLGZ/CMET8ernSE1VT d65Rt2IoL0vPJA3JUrvGiLyMU+wwqz6a/41PrXAU+Uaq7/yON4LgpaiWV3fF3OlQ pmp8NWrty2at4gEi7I/SvQxOZzZmqSMHR83vZD4pbl44uPGw6KRSopuSFX8mftOR EUFtrW7Rd9dClG+UclDmyqVbnUVhytodx7WqqWoiwZ+pZ5kaKEEVEYb6xhYQ7Tqh Q3jh19+pQkMwPAdGLN91gbzyswh3xP2OMBn699N8yZ+XRVq1twY1kOfz2hvIOUyF dNbFHJ2BYEOLZXx4B6qYg6/kx8f2flELKfkQxwbY/CPLBFccF+wZx8ig5B/odoOX DQV90J8fzfQ1dZW7xlwu+yxOwBhaHwtAmiOAuTHdWE2AgNxYe8dj75W+d2AdM/dv IeYuEO5j/lYmxUApUXeu6sUlh9KVH4Y5bgHyDAPsNw+1CA+EX/DJKaUi4iBCfmvI ZQQ6gap1JFn0Yd+EipWj+fRiI+irt48qie0T/1iwB8/WjSodEHgk3FLDyzspQw+V FKLElvyYucMFDESrKpcINe/XUwpP9RPQci6uZZsgglALWhkAimpPHtQmrXQ6L10+ afRB1fIDkMcB/vPbVnTuJcYxkEdMUuc9f731HP7dHTxoxNrc5mYsjfvcTJumj7lh kT7ccgA5+3M= =RrBd -----END PGP SIGNATURE-----