-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0065
                 Android Security Bulletin - February 2019
                               4 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Google Android devices
Operating System:     Android
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-2001 CVE-2019-2000 CVE-2019-1999
                      CVE-2019-1998 CVE-2019-1997 CVE-2019-1996
                      CVE-2019-1995 CVE-2019-1994 CVE-2019-1993
                      CVE-2019-1992 CVE-2019-1991 CVE-2019-1988
                      CVE-2019-1987 CVE-2019-1986 CVE-2018-13905
                      CVE-2018-13904 CVE-2018-13900 CVE-2018-11948
                      CVE-2018-11945 CVE-2018-11938 CVE-2018-11935
                      CVE-2018-11932 CVE-2018-11931 CVE-2018-11921
                      CVE-2018-11864 CVE-2018-11845 CVE-2018-11820
                      CVE-2018-11289 CVE-2018-11280 CVE-2018-11275
                      CVE-2018-11268 CVE-2018-11262 CVE-2018-10879
                      CVE-2018-6271 CVE-2018-6268 CVE-2018-6267
                      CVE-2018-5839 CVE-2018-5269 CVE-2018-5268
                      CVE-2017-18009 CVE-2017-17760 CVE-2016-6684
Member content until: Wednesday, April  3 2019
Reference:            ASB-2019.0046
                      ASB-2016.0093
                      ESB-2018.2124
                      ESB-2018.1195

OVERVIEW

        Multiple security vulnerabilities have been identified in the 
        Android operating system prior to the 2019-02-04 patch level. [1]


IMPACT

        Google has provided the following information about these 
        vulnerabilities:
        
        "Framework
        
        The most severe vulnerability in this section could enable a remote attacker
        using a specially crafted PNG file to execute arbitrary code within the context
        of a privileged process.
        
             CVE        References    Type Severity     Updated AOSP versions
        CVE-2019-1986 A-117838472 [2] RCE  Critical 9
        CVE-2019-1987 A-118143775 [2] RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2019-1988 A-118372692     RCE  Critical 8.0, 8.1, 9
        
        Library
        
        The most severe vulnerability in this section could enable a remote attacker
        using a specially crafted file to execute arbitrary code within the context of
        an unprivileged process.
        
             CVE       References  Type Severity     Updated AOSP versions
        CVE-2017-17760 A-78029030* RCE  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-5268  A-78029634* RCE  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2018-5269  A-78029727* RCE  High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2017-18009 A-78026242* ID   Moderate 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        
        System
        
        The most severe vulnerability in this section could enable a remote attacker
        using a specially crafted transmission to execute arbitrary code within the
        context of a privileged process.
        
             CVE        References    Type Severity     Updated AOSP versions
        CVE-2019-1991 A-110166268     RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2019-1992 A-116222069     RCE  Critical 7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2019-1993 A-119819889     EoP  High     8.0, 8.1, 9
        CVE-2019-1994 A-117770924     EoP  High     8.0, 8.1, 9
        CVE-2019-1995 A-32589229 [2]  ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2019-1996 A-111451066     ID   High     8.0, 8.1, 9
        CVE-2019-1997 A-117508900     ID   High     7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9
        CVE-2019-1998 A-116055338 [2] DoS  High     9
        
        2019-02-05 security patch level vulnerability details
        
        In the sections below, we provide details for each of the security
        vulnerabilities that apply to the 2019-02-05 patch level. Vulnerabilities are
        grouped under the component they affect and include details such as the CVE,
        associated references, type of vulnerability, severity, component (where
        applicable), and updated AOSP versions (where applicable). When available, we
        link the public change that addressed the issue to the bug ID, such as the AOSP
        change list. When multiple changes relate to a single bug, additional
        references are linked to numbers following the bug ID.
        
        Kernel components
        
        The most severe vulnerability in this section could enable a local malicious
        application to execute arbitrary code within the context of a privileged
        process.
        
             CVE         References    Type Severity    Component
        CVE-2018-10879 A-116406063     EoP  High     ext4 filesystem
                       Upstream kernel
        CVE-2019-1999  A-120025196*    EoP  High     Binder driver
        CVE-2019-2000  A-120025789*    EoP  High     Binder driver
        CVE-2019-2001  A-117422211*    ID   High     iomem
        
        NVIDIA components
        
        The most severe vulnerability in this section could enable a remote attacker
        using a specially crafted file to execute arbitrary code within the context of
        a privileged process.
        
             CVE       References  Type Severity Component
        CVE-2018-6271 A-80198474*  RCE  Critical libnvomx
        CVE-2018-6267 A-70857947*  EoP  High     libnvomx
        CVE-2018-6268 A-80433161*  EoP  High     libnvomx
        CVE-2016-6684 A-117423758* ID   High     kernel log
        
        Qualcomm components
        
        These vulnerabilities affect Qualcomm components and are described in further
        detail in the appropriate Qualcomm security bulletin or security alert. The
        severity assessment of these issues is provided directly by Qualcomm.
        
             CVE          References     Type Severity Component
        CVE-2018-11262 A-76424945        N/A  Critical bootloader
                       QC-CR#2221192
        CVE-2018-11280 A-109741776       N/A  High     Modem
                       QC-CR#2185061
        CVE-2018-11275 A-74409078        N/A  High     Bootloader
                       QC-CR#2221256 [2]
        CVE-2018-13900 A-119052051       N/A  High     Modem
                       QC-CR#2287499
        CVE-2018-13905 A-119052050       N/A  High     Graphics
                       QC-CR#2225202
        
        Qualcomm closed-source components
        
        These vulnerabilities affect Qualcomm components and are described in further
        detail in the appropriate Qualcomm security bulletin or security alert. The
        severity assessment of these issues is provided directly by Qualcomm.
        
             CVE        References  Type Severity        Component
        CVE-2018-11289 A-109678453* N/A  Critical Closed-source component
        CVE-2018-11820 A-111089815* N/A  Critical Closed-source component
        CVE-2018-11938 A-112279482* N/A  Critical Closed-source component
        CVE-2018-11945 A-112278875* N/A  Critical Closed-source component
        CVE-2018-11268 A-109678259* N/A  High     Closed-source component
        CVE-2018-11845 A-111088838* N/A  High     Closed-source component
        CVE-2018-11864 A-111092944* N/A  High     Closed-source component
        CVE-2018-11921 A-112278972* N/A  High     Closed-source component
        CVE-2018-11931 A-112279521* N/A  High     Closed-source component
        CVE-2018-11932 A-112279426* N/A  High     Closed-source component
        CVE-2018-11935 A-112279483* N/A  High     Closed-source component
        CVE-2018-11948 A-112279144* N/A  High     Closed-source component
        CVE-2018-5839  A-112279544* N/A  High     Closed-source component
        CVE-2018-13904 A-119050566* N/A  High     Closed-source component
        
        Common questions and answers
        
        This section answers common questions that may occur after reading this
        bulletin.
        
        1. How do I determine if my device is updated to address these issues?
        
        To learn how to check a device's security patch level, see Check and update
        your Android version.
        
          o Security patch levels of 2019-02-01 or later address all issues associated
            with the 2019-02-01 security patch level.
          o Security patch levels of 2019-02-05 or later address all issues associated
            with the 2019-02-05 security patch level and all previous patch levels.
        
        Device manufacturers that include these updates should set the patch string
        level to:
        
          o [ro.build.version.security_patch]:[2019-02-01]
          o [ro.build.version.security_patch]:[2019-02-05]
        
        2. Why does this bulletin have two security patch levels?
        
        This bulletin has two security patch levels so that Android partners have the
        flexibility to fix a subset of vulnerabilities that are similar across all
        Android devices more quickly. Android partners are encouraged to fix all issues
        in this bulletin and use the latest security patch level.
        
          o Devices that use the 2019-02-01 security patch level must include all
            issues associated with that security patch level, as well as fixes for all
            issues reported in previous security bulletins.
          o Devices that use the security patch level of 2019-02-05 or newer must
            include all applicable patches in this (and previous) security bulletins.
        
        Partners are encouraged to bundle the fixes for all issues they are addressing
        in a single update.
        
        3. What do the entries in the Type column mean?
        
        Entries in the Type column of the vulnerability details table reference the
        classification of the security vulnerability.
        
        Abbreviation          Definition
        RCE          Remote code execution
        EoP          Elevation of privilege
        ID           Information disclosure
        DoS          Denial of service
        N/A          Classification not available
        
        4. What do the entries in the References column mean?
        
        Entries under the References column of the vulnerability details table may
        contain a prefix identifying the organization to which the reference value
        belongs.
        
        Prefix         Reference
        A-     Android bug ID
        QC-    Qualcomm reference number
        M-     MediaTek reference number
        N-     NVIDIA reference number
        B-     Broadcom reference number
        
        5. What does a * next to the Android bug ID in the References column mean?
        
        Issues that are not publicly available have a * next to the Android bug ID in
        the References column. The update for that issue is generally contained in the
        latest binary drivers for Pixel devices available from the Google Developer
        site.
        
        6. Why are security vulnerabilities split between this bulletin and device&
        hairsp;/ partner security bulletins, such as the Pixel bulletin?
        
        Security vulnerabilities that are documented in this security bulletin are
        required to declare the latest security patch level on Android devices.
        Additional security vulnerabilities that are documented in the device /&
        hairsp;partner security bulletins are not required for declaring a security
        patch level. Android device and chipset manufacturers are encouraged to
        document the presence of other fixes on their devices through their own
        security websites, such as the Samsung, LGE, or Pixel security bulletins.
        
        Versions
        
        Version       Date             Notes
        1.0     February 4, 2019 Bulletin published " [1]


MITIGATION

        Android users are advised to update to the latest release available
        to address these vulnerabilities. [1]


REFERENCES

        [1] Android Security Bulletin - February 2019
            https://source.android.com/security/bulletin/2019-02-01.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHyt2maOgq3Tt24GAQgT1Q//YElRTPJ+62o7a/GSp0Nwwxy4ItDOkEIa
igwPE2mN1mJfFuuZKpwteNXIbfnvd+t6cal3doMz/KAbdU2NAVr75kVH8ufJikFC
ktkmbK5+7Jo25cYWlG8ikAgpiiNtYR28RPDRX0V0GBZYRxHKls63NRcBhHNc/oA9
CPBUELKbc3J2MJZzylUzD9Zu60FNkfeEeHCPod8TiAa7sKs8qRRUGc0yYYK+1+yX
OnMrthfw1zqohUSYjwDxLZWxazTrtzBA5bDy1NT5Tq8klNSnu4AW6rsl0TcL4IoW
lZlmiGx0jjVgNZzAc1vwd06llT3OBHi+VqGjBDf+AjXvd78Sd30cYDadNvlX0Nnl
JlgSDRHndsVghJTqI1aFaESZcQeEzu0Frkcso47TIXffqHOrSOJidAVutrc6rrUl
bn/IbMPDdQInvx9LqH9mhJNvuzvGHJo3R5CYyknzA6yXToKQ9lBCs4jZN1eIQRQK
hNiQ9vnygdSvTC95oaCDzlba9MPvjzrw5wXIj9GXpLWMCfUpjf3onJbGZRQt203o
RSeD6DD8A4pp6E+nbOMNWQYdnyBga4VRVGQxCzmmbe9hQzp+oAbpHh9jyLVhu10R
npCX/Cf/NlNeWQn5RPsH2JX2IvfEjNyZLbDGd0usaiQ6lFi7IKeEMGL+LTdnTc6V
p5x3jF8i+KA=
=74K7
-----END PGP SIGNATURE-----