Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0002
Android Security Bulletin - January 2019
8 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Google Android devices
Operating System: Android
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-18281 CVE-2018-17182 CVE-2018-13889
CVE-2018-13888 CVE-2018-13405 CVE-2018-12014
CVE-2018-11962 CVE-2018-11888 CVE-2018-11847
CVE-2018-10882 CVE-2018-10880 CVE-2018-10877
CVE-2018-10876 CVE-2018-9594 CVE-2018-9593
CVE-2018-9592 CVE-2018-9591 CVE-2018-9590
CVE-2018-9589 CVE-2018-9588 CVE-2018-9587
CVE-2018-9586 CVE-2018-9585 CVE-2018-9584
CVE-2018-9583 CVE-2018-9582 CVE-2018-6241
Member content until: Thursday, February 7 2019
OVERVIEW
Multiple security vulnerabilities have been identified in the Android
operating system prior to the 2019-01-05 patch level. [1]
IMPACT
Google has provided the following information about these
vulnerabilities:
"Framework
The most severe vulnerability in this section could enable a local
malicious application to bypass user interaction requirements in order
to gain access to additional permissions.
CVE References Type Severity Updated AOSP versions
CVE-2018-9582 A-112031362 EoP High 8.0, 8.1, 9
System
The most severe vulnerability in this section could enable a remote
attacker using a specially crafted file to execute arbitrary code
within the context of a privileged process.
CVE References Type Severity Updated AOSP versions
CVE-2018-9583 A-112860487 RCE Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9584 A-114047681 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9585 A-117554809 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9586 A-116754444 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9587 A-113597344 EoP High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9588 A-111450156 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9589 A-111893132 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9590 A-115900043 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9591 A-116108738 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9592 A-116319076 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9593 A-116722267 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
CVE-2018-9594 A-116791157 ID High 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
The most severe vulnerability in this section could enable a local
malicious application to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Component
CVE-2018-10876 A-116406122
Upstream kernel EoP High ext4 filesystem
CVE-2018-10880 A-116406509
Upstream kernel EoP High ext4 filesystem
CVE-2018-10882 A-116406626
Upstream kernel EoP High ext4 filesystem
CVE-2018-13405 A-113452403
Upstream kernel EoP High Filesystem
CVE-2018-18281 A-118836219
Upstream kernel EoP High TLB
CVE-2018-17182 A-117280327
Upstream kernel EoP High Memory Manager
CVE-2018-10877 A-116406625
Upstream kernel ID High ext4 filesystem
NVIDIA components
The most severe vulnerability in this section could enable a local
malicious application to execute arbitrary code within the context of
a privileged process.
CVE References Type Severity Component
CVE-2018-6241 A-62540032 EoP High Dragon BSP
Qualcomm components
These vulnerabilities affect Qualcomm components and are described in
further detail in the appropriate Qualcomm security bulletin or security
alert. The severity assessment of these issues is provided directly by
Qualcomm.
CVE References Type Severity Component
CVE-2018-11962 A-117118292
QC-CR#2267916 N/A High Audio
CVE-2018-12014 A-117118062
QC-CR#2278688 N/A High Data HLOS - LNX
CVE-2018-13889 A-117118677
QC-CR#2288358 N/A High GPS
Qualcomm closed-source components
These vulnerabilities affect Qualcomm components and are described in
further detail in the appropriate Qualcomm security bulletin or security
alert. The severity assessment of these issues is provided directly by
Qualcomm.
CVE References Type Severity Component
CVE-2018-11847 A-111092812* N/A Critical Closed-source component
CVE-2018-11888 A-111093241* N/A High Closed-source component
CVE-2018-13888 A-117119136* N/A High Closed-source component
" [1]
MITIGATION
Android users are advised to update to the latest release available
to address these vulnerabilities. [1]
REFERENCES
[1] Android Security Bulletin - January 2019
https://source.android.com/security/bulletin/2019-01-01.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXDQdiGaOgq3Tt24GAQgRuQ/+Mm1deOaXGzQqLCkADpYTh3Uy1X8hBIby
5wyNQO2OlMeqhSk2VEtYBPJ60AcbjPRwf6vyBmMG+VHBzRV8XHcOrlUZNEUMZ0n5
M8WJff3s9vQc974Fsc7E3fseY9LnwcmPBHLMSd9aA8ZZZl5B/jCG8jQXswZSg2pI
c5NrIMnZnV+bjaXOhlCKzHUE71v10O6iLjwdV7lJXJ8UIJWRlP6lzy01mAqx6n9J
303qt5ovRVmSlTpMnAFCA/KEcrT5v3C35rXecHxV8CGj9FiDhY//LknuDQ63+Ovs
LCTfptxN4JkS1PAGcyJsVR/hVN9rjTgORtSsdvj59k9uFy/77WBXaxhGL7NOrtBm
/1Le1M7mok7oO9wYq3+2epRXfQttRz/gvRYLBfJf1+3AYLC8+e+epkstZpQGBWXK
U5Y3gLkVL3eGBvlUxuKgeKBGr2yHyz2xibnuCbK+wmrbezz3UnNvooP1tU4Dlrlk
m2wRMUUYh40/p9X/Urd4IS4gebCop+0q9dAuQE5MhM1qAvNYvqh2Fjyl1HJmnI6t
AjtOgZJ0ONsJF1EU7rkWrOQXcAEYFIudgB+AZ3UcUCxZOBBNkjozpCg9/HAuih3J
UkPZhUtq2xx8N2Dz8iMcO0iEe3S81FcAmbLVzutxuaBvaBUeF6GPC+wdZtLaWVtz
ZLcNoUhCzyQ=
=sJxs
-----END PGP SIGNATURE-----