Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0295
Android Security Bulletin - December 2018
4 December 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Android devices
Operating System: Android
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-11999 CVE-2018-11963 CVE-2018-11961
CVE-2018-11960 CVE-2018-11922 CVE-2018-11279
CVE-2018-11267 CVE-2018-10840 CVE-2018-9568
CVE-2018-9567 CVE-2018-9566 CVE-2018-9565
CVE-2018-9562 CVE-2018-9560 CVE-2018-9559
CVE-2018-9558 CVE-2018-9557 CVE-2018-9556
CVE-2018-9555 CVE-2018-9554 CVE-2018-9553
CVE-2018-9552 CVE-2018-9551 CVE-2018-9550
CVE-2018-9549 CVE-2018-9548 CVE-2018-9547
CVE-2018-9538 CVE-2018-5915 CVE-2018-5913
CVE-2018-5869 CVE-2018-5868 CVE-2018-5867
CVE-2018-3595 CVE-2017-18332 CVE-2017-18331
CVE-2017-18330 CVE-2017-18329 CVE-2017-18328
CVE-2017-18327 CVE-2017-18326 CVE-2017-18324
CVE-2017-18323 CVE-2017-18322 CVE-2017-18321
CVE-2017-18320 CVE-2017-18319 CVE-2017-18160
CVE-2017-18141 CVE-2017-11004 CVE-2017-8276
CVE-2017-8248 CVE-2017-5754
Member content until: Thursday, January 3 2019
Reference: ASB-2018.0209
ASB-2018.0101
ASB-2018.0068
ESB-2017.1783
OVERVIEW
Multiple security vulnerabilities have been identified in the Android
operating system prior to the 2018-12-05 patch level. [1]
IMPACT
Google has provided the following information about these
vulnerabilities:
"
Framework
The most severe vulnerability in this section could enable a local malicious
application to execute arbitrary code within the context of a privileged
process.
CVE References Type Severity Updated AOSP versions
CVE-2018-9547 A-114223584 EoP High 8.1, 9
CVE-2018-9548 A-112555574 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
Media framework
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted file to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2018-9549 A-112160868 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9550 A-112660981 RCE Critical 9
CVE-2018-9551 A-112891548 RCE Critical 9
CVE-2018-9552 A-113260892 ID Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9553 A-116615297 RCE High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9538 A-112181526 EoP High 8.1, 9
CVE-2018-9554 A-114770654 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1
System
The most severe vulnerability in this section could enable a remote attacker
using a specially crafted transmission to execute arbitrary code within the
context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2018-9555 A-112321180 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9556 A-113118184 RCE Critical 9
CVE-2018-9557 A-35385357 EoP High 7.0, 7.1.1, 7.1.2
CVE-2018-9558 A-112161557 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9559 A-112731440 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9560 A-79946737 EoP High 9
CVE-2018-9562 A-113164621 ID High 9
CVE-2018-9566 A-74249842 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
2018-12-05 security patch level vulnerability details
In the sections below, we provide details for each of the security
vulnerabilities that apply to the 2018-12-05 patch level. Vulnerabilities are
grouped under the component they affect and include details such as the CVE,
associated references, type of vulnerability, severity, component (where
applicable), and updated AOSP versions (where applicable). When available, we
link the public change that addressed the issue to the bug ID, such as the AOSP
change list. When multiple changes relate to a single bug, additional
references are linked to numbers following the bug ID.
System
The most severe vulnerability in this section could lead to remote information
disclosure with no additional execution privileges needed.
CVE References Type Severity Component
CVE-2018-9565 A-16680558 ID High OMA-DM
HTC components
The most severe vulnerability in this section could enable a local attacker to
bypass user interaction requirements in order to gain access to additional
permissions.
CVE References Type Severity Component
CVE-2018-9567 A-65543936 EoP High Bootloader
Kernel components
The most severe vulnerability in this section could enable a local attacker to
execute arbitrary code within the context of a privileged process.
CVE References Type Severity Component
CVE-2018-10840 A-116406508 EoP High ext4 filesystem
Upstream kernel
CVE-2018-9568 A-113509306 EoP High network
Upstream kernel
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2018-11960 A-114042002 N/A High HWEngines
QC-CR#2264832
CVE-2018-11961 A-114040881 N/A High GPS_AP_LINUX
QC-CR#2261813
CVE-2018-11963 A-114041685 N/A High Automotive Multimedia
QC-CR#2220770
Qualcomm closed-source components
These vulnerabilities affect Qualcomm components and are described in further
detail in the appropriate Qualcomm security bulletin or security alert. The
severity assessment of these issues is provided directly by Qualcomm.
CVE References Type Severity Component
CVE-2017-8248 A-78135902* N/A Critical Closed-source component
CVE-2017-11004 A-66913713* N/A Critical Closed-source component
CVE-2017-18141 A-67712316* N/A Critical Closed-source component
CVE-2018-5913 A-79419833* N/A Critical Closed-source component
CVE-2018-11279 A-109678200* N/A Critical Closed-source component
CVE-2017-18319 A-78284753* N/A High Closed-source component
CVE-2017-18321 A-78283451* N/A High Closed-source component
CVE-2017-18322 A-78285196* N/A High Closed-source component
CVE-2017-18323 A-78284194* N/A High Closed-source component
CVE-2017-18324 A-78284517* N/A High Closed-source component
CVE-2017-18327 A-78240177* N/A High Closed-source component
CVE-2017-18331 A-78239686* N/A High Closed-source component
CVE-2017-18332 A-78284545* N/A High Closed-source component
CVE-2017-18160 A-109660689* N/A High Closed-source component
CVE-2017-18326 A-78240324* N/A High Closed-source component
CVE-2017-8276 A-68141338* N/A High Closed-source component
CVE-2017-18328 A-78286046* N/A High Closed-source component
CVE-2017-18329 A-73539037* N/A High Closed-source component
CVE-2017-18330 A-73539235* N/A High Closed-source component
CVE-2018-3595 A-71501115* N/A High Closed-source component
CVE-2017-18320 A-33757308* N/A High Closed-source component
CVE-2018-11999 A-74236942* N/A High Closed-source component
CVE-2018-5867 A-77485184* N/A High Closed-source component
CVE-2018-5868 A-77484529* N/A High Closed-source component
CVE-2018-5869 A-33385206* N/A High Closed-source component
CVE-2017-5754 A-79419639* N/A High Closed-source component
CVE-2018-5915 A-79420511* N/A High Closed-source component
CVE-2018-11267 A-109678338* N/A High Closed-source component
CVE-2018-11922 A-112279564* N/A High Closed-source component"
[1]
MITIGATION
Android users are advised to update to the latest release available
to address these vulnerabilities. [1]
REFERENCES
[1] Android Security Bulletin - December 2018
https://source.android.com/security/bulletin/2018-12-01.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXAW9fmaOgq3Tt24GAQhDlhAAnnvMOaVkkPTPNGqLGZ/CMET8ernSE1VT
d65Rt2IoL0vPJA3JUrvGiLyMU+wwqz6a/41PrXAU+Uaq7/yON4LgpaiWV3fF3OlQ
pmp8NWrty2at4gEi7I/SvQxOZzZmqSMHR83vZD4pbl44uPGw6KRSopuSFX8mftOR
EUFtrW7Rd9dClG+UclDmyqVbnUVhytodx7WqqWoiwZ+pZ5kaKEEVEYb6xhYQ7Tqh
Q3jh19+pQkMwPAdGLN91gbzyswh3xP2OMBn699N8yZ+XRVq1twY1kOfz2hvIOUyF
dNbFHJ2BYEOLZXx4B6qYg6/kx8f2flELKfkQxwbY/CPLBFccF+wZx8ig5B/odoOX
DQV90J8fzfQ1dZW7xlwu+yxOwBhaHwtAmiOAuTHdWE2AgNxYe8dj75W+d2AdM/dv
IeYuEO5j/lYmxUApUXeu6sUlh9KVH4Y5bgHyDAPsNw+1CA+EX/DJKaUi4iBCfmvI
ZQQ6gap1JFn0Yd+EipWj+fRiI+irt48qie0T/1iwB8/WjSodEHgk3FLDyzspQw+V
FKLElvyYucMFDESrKpcINe/XUwpP9RPQci6uZZsgglALWhkAimpPHtQmrXQ6L10+
afRB1fIDkMcB/vPbVnTuJcYxkEdMUuc9f731HP7dHTxoxNrc5mYsjfvcTJumj7lh
kT7ccgA5+3M=
=RrBd
-----END PGP SIGNATURE-----